Java creator trying to win the stupidest statement award of the year
-
My friend (pro-Linux) sent this URL to our class mailing list :- Huge security hole in .NET: Java creator [^] This was my reply :- What else would you expect a Java person to say :-) I primarily specialize in C++/CLI (formerly Managed C++) and the reason it's the most powerful .NET language is that it supports 3 compiler modes :- * pure managed (this produces IL is same as what C# or VB.NET or J# will produce and is safe/secure etc) * unmanaged (or native) - does not target the .NET runtime - produces PE executables and native DLLs * mixed mode - has managed and unmanaged code in the same assembly - the managed portions will run under .NET security, while the unmanaged components will run under normal Windows security. What Gosling is trying to say is probably that a mixed mode app/DLL is unsafe because it has portions of code that will run outside the security model of the CLR. But then the developer (when he's using unmanaged code) is taking responsibility for what he's doing. He'll have to make sure his native code blocks don't have any gaping holes. I don't believe any sane person can assume that this is a .NET issue - it's just that C++ offers one the option to shoot yourself in the foot. Java won't let you do that - Java is probably meant for babies and little children***(see below). C++ is targetted at tougher people - or rather tougher programmers. What's more, C# and VB.NET can use .NET code access security features to make sure that unmanaged transitions are disallowed. This means that when a C# program accesses a C++ generated DLL that may contain unmanaged code, the unmanaged code won't be allowed to execute - instead, a security exception gets thrown. I myself always look out for security holes and other issues with .NET and the CLR (since knowing them increases my market potential), but meaningless shit like what this Gosling fellow throws out makes me wanna puke. If he wants to make grand statements like that, he could at least have got the facts right. Nish Regards Nish *** [edit]I replaced
pregnant womenwithlittle childrenas I felt the usage ofpregnant womenwould give the impression that I am looking down upon women.[/edit]With C++/CLI, you can pick one of three models. In order of safety:
- Safe (/clr:safe). Emits only verifiable IL
- Pure (/clr:pure). Emits only IL, no native code
- Mixed (/clr). Tries to emit IL as far as possible, falls back on native code for constructs not possible in IL.
The verifiable flag is important. If verification is enabled (which it is, by default, for all non-local code) the JIT will throw an exception (a
VerificationException, IIRC) if any construct is encountered which is not verifiable. The same applies to C#unsafeblocks. A difference here is that the programmer must explicitly opt in to non-verifiable code in C# (by writing anunsafeblock and using the/unsafeswitch to the compiler), while in C++/CLI you must opt out. The rules about what code is allowed to execute unverifiable IL are part of the current security policy. You could editmachine.configto remove unverifiable code permission from the default machine policy set, for example. You could also edit the Internet zone policy to allow unverifiable code but this would be a seriously bad idea. So the difference is that Java does not allow you to execute non-verifiable code directly in the virtual machine. It's not clear to me what protections are offered against loading native, unmanaged code using JNI. Since JNI code runs in-process in the VM, it can do anything - in the same way that P/Invoke code can do anything in the CLR. Stability. What an interesting concept. -- Chris Maunder -
My friend (pro-Linux) sent this URL to our class mailing list :- Huge security hole in .NET: Java creator [^] This was my reply :- What else would you expect a Java person to say :-) I primarily specialize in C++/CLI (formerly Managed C++) and the reason it's the most powerful .NET language is that it supports 3 compiler modes :- * pure managed (this produces IL is same as what C# or VB.NET or J# will produce and is safe/secure etc) * unmanaged (or native) - does not target the .NET runtime - produces PE executables and native DLLs * mixed mode - has managed and unmanaged code in the same assembly - the managed portions will run under .NET security, while the unmanaged components will run under normal Windows security. What Gosling is trying to say is probably that a mixed mode app/DLL is unsafe because it has portions of code that will run outside the security model of the CLR. But then the developer (when he's using unmanaged code) is taking responsibility for what he's doing. He'll have to make sure his native code blocks don't have any gaping holes. I don't believe any sane person can assume that this is a .NET issue - it's just that C++ offers one the option to shoot yourself in the foot. Java won't let you do that - Java is probably meant for babies and little children***(see below). C++ is targetted at tougher people - or rather tougher programmers. What's more, C# and VB.NET can use .NET code access security features to make sure that unmanaged transitions are disallowed. This means that when a C# program accesses a C++ generated DLL that may contain unmanaged code, the unmanaged code won't be allowed to execute - instead, a security exception gets thrown. I myself always look out for security holes and other issues with .NET and the CLR (since knowing them increases my market potential), but meaningless shit like what this Gosling fellow throws out makes me wanna puke. If he wants to make grand statements like that, he could at least have got the facts right. Nish Regards Nish *** [edit]I replaced
pregnant womenwithlittle childrenas I felt the usage ofpregnant womenwould give the impression that I am looking down upon women.[/edit]At least, have him heard of JNI? AFAIK, it's a "security hole" as big as .NET native code. Yes, even I am blogging now!
-
JasonKnox wrote: Have u understood the sense of java? The point is that Gosling hasn't understood the concept of C++/CLI and how it relates to the .NET framework. Gosling is doing the political dance. Which is sad, because he's a pretty skilled engineer. And, by the way, "you" is spelled "you" in English. Is it really that hard to remember, or are you too lazy to type it? -- My name in Katakana is ヨルゲン. My name in German is Jörgen. I blog too now[^]
The only problem im having at this point is that i cant go conform with "java is for pregnent women". So is .NET for lesbians? If hes earning his money with MS i appreciate that but i dislike those crusades. Whats the point in telling me how to spell something? Is this some sort of an argument?
-
The only problem im having at this point is that i cant go conform with "java is for pregnent women". So is .NET for lesbians? If hes earning his money with MS i appreciate that but i dislike those crusades. Whats the point in telling me how to spell something? Is this some sort of an argument?
JasonKnox wrote: The only problem im having at this point is that i cant go conform with "java is for pregnent women". It was perhaps not the most wisely chosen words, but it does give IMO an accurate picture of the Java language. It also describes VB and C# (2.0 with generics seems like a great step forward, but it still feels like a nanny language). JasonKnox wrote: So is .NET for lesbians? Last time I checked, Lauren didn't seem too hot on .NET :-D JasonKnox wrote: Whats the point in telling me how to spell something? Is this some sort of an argument? People will take you seriously. -- My name in Katakana is ヨルゲン. My name in German is Jörgen. I blog too now[^]
-
At least, have him heard of JNI? AFAIK, it's a "security hole" as big as .NET native code. Yes, even I am blogging now!
Can one block assemblies containing "unsafe" code in .NET? I believe you can block JNI stuff in Java. -- My name in Katakana is ヨルゲン. My name in German is Jörgen. I blog too now[^]
-
[quote]Java won't let you do that - Java is probably meant for babies and pregnant women. C++ is targetted at tougher people - or rather tougher programmers.[/quote] Have u understood the sense of java? Do you think your no.300 clone of tic-tac-toe in your DOSbox means that your rule all those java coders out there? Ever thought of taking the best language in the right situation instead of trying to drag-and-drop your new gui in visual studio? And btw. whats the sense of bytecode if its bound to windows again? Safety? - why? - because of the cute c++ programmers that wont be able to code responsibly?
JasonKnox wrote: Have u understood the sense of java? Possibly, though its impossible to know for sure because I can't really "understood" what "u" mean JasonKnox wrote: whats the sense of bytecode if its bound to windows again? Umm... not sure if you are refering to .NET cause bytecode is java. .NET gets compiled to IL JasonKnox wrote: because of the cute c++ programmers that wont be able to code responsibly? I have yet to see a "cute" c++ programmer so I don't see the relevance of your statement, then again I don't really understand most of what you said. Matt Newman
Even the very best tools in the hands of an idiot will produce something of little or no value. - Chris Meech on Idiots
-
JasonKnox wrote: Have u understood the sense of java? Possibly, though its impossible to know for sure because I can't really "understood" what "u" mean JasonKnox wrote: whats the sense of bytecode if its bound to windows again? Umm... not sure if you are refering to .NET cause bytecode is java. .NET gets compiled to IL JasonKnox wrote: because of the cute c++ programmers that wont be able to code responsibly? I have yet to see a "cute" c++ programmer so I don't see the relevance of your statement, then again I don't really understand most of what you said. Matt Newman
Even the very best tools in the hands of an idiot will produce something of little or no value. - Chris Meech on Idiots
[MSA] Matt Newman wrote: JasonKnox wrote: whats the sense of bytecode if its bound to windows again? Umm... not sure if you are refering to .NET cause bytecode is java. .NET gets compiled to IL name it like you want. [MSA] Matt Newman wrote: I don't see the relevance of your statement read my second posting in this thread.
-
Who spat in your test tube?
Do you want to know more? WDevs.com - Open Source Code Hosting, Blogs, FTP, Mail and Forums
I think you mean an 'h' instead of a 'p' in spat.
Software Zen:
delete this; -
[MSA] Matt Newman wrote: JasonKnox wrote: whats the sense of bytecode if its bound to windows again? Umm... not sure if you are refering to .NET cause bytecode is java. .NET gets compiled to IL name it like you want. [MSA] Matt Newman wrote: I don't see the relevance of your statement read my second posting in this thread.
JasonKnox wrote: name it like you want. I'd rather stick with the proper definition - that way no one gets confused. If there is one thing that really hurts productivity in a project, that could very easily be fixed, is when people use different appellations for the same thing.
Do you want to know more? WDevs.com - Open Source Code Hosting, Blogs, FTP, Mail and Forums
-
[MSA] Matt Newman wrote: JasonKnox wrote: whats the sense of bytecode if its bound to windows again? Umm... not sure if you are refering to .NET cause bytecode is java. .NET gets compiled to IL name it like you want. [MSA] Matt Newman wrote: I don't see the relevance of your statement read my second posting in this thread.
-
The only problem im having at this point is that i cant go conform with "java is for pregnent women". So is .NET for lesbians? If hes earning his money with MS i appreciate that but i dislike those crusades. Whats the point in telling me how to spell something? Is this some sort of an argument?
-
I think you mean an 'h' instead of a 'p' in spat.
Software Zen:
delete this;Gary R. Wheeler wrote: I think you mean an 'h' instead of a 'p' in spat. This is the Lounge - and I didn't want to get too scatalogical. I figured that substituting an act of expectoration would keep within the Lounge's PG guidelines.
Do you want to know more? WDevs.com - Open Source Code Hosting, Blogs, FTP, Mail and Forums
-
Can one block assemblies containing "unsafe" code in .NET? I believe you can block JNI stuff in Java. -- My name in Katakana is ヨルゲン. My name in German is Jörgen. I blog too now[^]
Yes, unsafe code is blocked by default if run remotely. That's the purpose of 'unsafe' blocks. Christian I have several lifelong friends that are New Yorkers but I have always gravitated toward the weirdo's. - Richard Stringer
-
[quote]Java won't let you do that - Java is probably meant for babies and pregnant women. C++ is targetted at tougher people - or rather tougher programmers.[/quote] Have u understood the sense of java? Do you think your no.300 clone of tic-tac-toe in your DOSbox means that your rule all those java coders out there? Ever thought of taking the best language in the right situation instead of trying to drag-and-drop your new gui in visual studio? And btw. whats the sense of bytecode if its bound to windows again? Safety? - why? - because of the cute c++ programmers that wont be able to code responsibly?
Looks like the Java guy lost the contest. Christian I have several lifelong friends that are New Yorkers but I have always gravitated toward the weirdo's. - Richard Stringer
-
My friend (pro-Linux) sent this URL to our class mailing list :- Huge security hole in .NET: Java creator [^] This was my reply :- What else would you expect a Java person to say :-) I primarily specialize in C++/CLI (formerly Managed C++) and the reason it's the most powerful .NET language is that it supports 3 compiler modes :- * pure managed (this produces IL is same as what C# or VB.NET or J# will produce and is safe/secure etc) * unmanaged (or native) - does not target the .NET runtime - produces PE executables and native DLLs * mixed mode - has managed and unmanaged code in the same assembly - the managed portions will run under .NET security, while the unmanaged components will run under normal Windows security. What Gosling is trying to say is probably that a mixed mode app/DLL is unsafe because it has portions of code that will run outside the security model of the CLR. But then the developer (when he's using unmanaged code) is taking responsibility for what he's doing. He'll have to make sure his native code blocks don't have any gaping holes. I don't believe any sane person can assume that this is a .NET issue - it's just that C++ offers one the option to shoot yourself in the foot. Java won't let you do that - Java is probably meant for babies and little children***(see below). C++ is targetted at tougher people - or rather tougher programmers. What's more, C# and VB.NET can use .NET code access security features to make sure that unmanaged transitions are disallowed. This means that when a C# program accesses a C++ generated DLL that may contain unmanaged code, the unmanaged code won't be allowed to execute - instead, a security exception gets thrown. I myself always look out for security holes and other issues with .NET and the CLR (since knowing them increases my market potential), but meaningless shit like what this Gosling fellow throws out makes me wanna puke. If he wants to make grand statements like that, he could at least have got the facts right. Nish Regards Nish *** [edit]I replaced
pregnant womenwithlittle childrenas I felt the usage ofpregnant womenwould give the impression that I am looking down upon women.[/edit]Java won't let you do that - Java is probably meant for babies and pregnant women. C++ is targetted at tougher people - or rather tougher programmers. (sigh) Do we really have to make our choice of language into some test of manhood? Real men use C++? (I can already hear the assembly language programmers questioning the "toughness" and manliness of C++ programmers.) I'm not a Java programmer, but I fully support making languages that help developers avoid problems, rather than castigating languages as being for the weak-minded when they do this. [Edit] I suppose I should say that I'm a C++/MFC programmer before someone accuses me of using VB. :~ [\Edit] ----------------------------------------------------- Empires Of Steel[^]
-
-
Uhm.. there is no semantic difference between java bytecode and IL. IL is run in the .NET interpreter, and the java bytecode is run in the java virtual machine. Or have I missed something..? -- My name in Katakana is ヨルゲン. My name in German is Jörgen. I blog too now[^]
-
Uhm.. there is no semantic difference between java bytecode and IL. IL is run in the .NET interpreter, and the java bytecode is run in the java virtual machine. Or have I missed something..? -- My name in Katakana is ヨルゲン. My name in German is Jörgen. I blog too now[^]
There's no such thing as an ".NET interpreter". .NET always executes code natively. The IL gets compiled into x86 instructions by the JITter before executing.
A complex system that does not work is invariably found to have evolved from a simpler system that worked just fine. - Murphy's Law of Computing
-
My friend (pro-Linux) sent this URL to our class mailing list :- Huge security hole in .NET: Java creator [^] This was my reply :- What else would you expect a Java person to say :-) I primarily specialize in C++/CLI (formerly Managed C++) and the reason it's the most powerful .NET language is that it supports 3 compiler modes :- * pure managed (this produces IL is same as what C# or VB.NET or J# will produce and is safe/secure etc) * unmanaged (or native) - does not target the .NET runtime - produces PE executables and native DLLs * mixed mode - has managed and unmanaged code in the same assembly - the managed portions will run under .NET security, while the unmanaged components will run under normal Windows security. What Gosling is trying to say is probably that a mixed mode app/DLL is unsafe because it has portions of code that will run outside the security model of the CLR. But then the developer (when he's using unmanaged code) is taking responsibility for what he's doing. He'll have to make sure his native code blocks don't have any gaping holes. I don't believe any sane person can assume that this is a .NET issue - it's just that C++ offers one the option to shoot yourself in the foot. Java won't let you do that - Java is probably meant for babies and little children***(see below). C++ is targetted at tougher people - or rather tougher programmers. What's more, C# and VB.NET can use .NET code access security features to make sure that unmanaged transitions are disallowed. This means that when a C# program accesses a C++ generated DLL that may contain unmanaged code, the unmanaged code won't be allowed to execute - instead, a security exception gets thrown. I myself always look out for security holes and other issues with .NET and the CLR (since knowing them increases my market potential), but meaningless shit like what this Gosling fellow throws out makes me wanna puke. If he wants to make grand statements like that, he could at least have got the facts right. Nish Regards Nish *** [edit]I replaced
pregnant womenwithlittle childrenas I felt the usage ofpregnant womenwould give the impression that I am looking down upon women.[/edit]Yea, Nish. You tell 'em what-for! (A vote of 5 for you) Jerry He said this was like painstakingly assembling the first layer of a house of cards, then boasting that the next 15,000 layers were a mere formality.--The Code Book, pp. 331 Toasty0.com DotNetGroup.org
-
There's no such thing as an ".NET interpreter". .NET always executes code natively. The IL gets compiled into x86 instructions by the JITter before executing.
A complex system that does not work is invariably found to have evolved from a simpler system that worked just fine. - Murphy's Law of Computing
Yeah that's true, but I thought Java also now has a JIT, so I think the argument that they are semantically similar still holds.