“Microsoft will more quickly retire old code in its Windows operating system and other software as a result of the company’s four-month-old “trustworthy computing” initiative, the company’s lead bug basher said in an interview.” Read the rest of the article at ZDNews.
Outdated Windows Code Poses a Threat
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Duh.
Eh… I heard that there was megabytes of code in Word that nobody knew what it did, but nobody dared to remove because it might break backwards compability… a rumor maybe… but still… Microsoft used to pay their employees by the number of lines of code…
Now, I read this article…
…then I read it again.
I’m not sure as to what this is supposed to mean.
According to Joel (of “Joel on Software” fame, whose opinions I highly regard) you should NEVER, EVER start from scratch or re-write code that works. (See the following article: http://www.joelonsoftware.com/articles/TwoStories.html Incidentally, he praises Microsoft in another of his articles here: http://www.joelonsoftware.com/articles/fog0000000069.html )
)
Now, as a software manager, and one that deals with Open Source, I agree (one could easily think of Open Source as a way to re-use, instead of re-write, software.) It’s very, very important to not break something that works. But the way I read this article, it seems that Microsoft wants to throw out “old” code, just based on the fact that it is “old”. That seems just plain dumb.
Now, I’ll be the first to admit that software project carry along a LOT of old legacy code, especially in the cases that they have in the past, or currently do run on multiple platforms (Word was on DOS, Win16, and Mac toolbox, it’s now on Win32, MacOS X, and possibly on Win64, although MS may be moving it to be on CLR, in which case they don’t need to worry about “ports” anymore.) and in other cases, it may have even come through an acquisition (Microsoft bought Visio, for example, and PowerPoint, which not many people know.) At any rate, there’s often a lot of code, which few programmers on the project know the 100% history of.
Now, “old” code means to me “code that is no longer used” not “code that was originally created 5 years ago”. But from the context of the article, they seem to imply that Microsoft is using the latter definition. This would make no sense whatsoever.
Code that stays in a project, rev after rev, is code that works. Period. Code that doesn’t work, gets changed — sooner or later. What Microsoft REALLY needs to do is have a code review, and figure out what works (and keep it), what doesn’t work (and fix it), and what isn’t used (and archive it and get it out ofthe way.) They need to refactor their code, not just prune out “old” code.
If a project can’t be put into a block diagram, and a coder can’t look at a module and see (a) where it fits into the diagram (b) what the code is supposed to do
/* That’s what comments are for, people!!! */
// So use them!
and (c) match that module to a feature in the spec, then the project is in serious need of a code review.
(No more Monday morning rants before caffine, I promise!)
Cheers,
Ken
OKAY, I REALLY shouldn’t post before having caffine…
The two “Joel on Software” URL’s are reversed above.
Ken
relax man.. it’s just the usual marketing BS.. nothing is really going to happen…
and throwing out old legacy code.. hah.. c’mon.. they are not going to throw away their nr. 1 income source..
What will they do with all that NEW code that does the same thing?
“Now, as a software manager, and one that deals with Open Source, I agree (one could easily think of Open Source as a way to re-use, instead of re-write, software.)”
Yes and no… For example… Much of the open source code out there is so badly written that there is no way I am allowing to polute my software. In this case, I am better off writing my own stuff, even if that means I have to re-write instead of re-use. (Some of the GNU utilities use goto(). goto() in C code? LOL give me a break. Can you say “poor style”? Sure you can…)
“/* That’s what comments are for, people!!! */
// So use them!”
Comments? What are those? Oh yeah.. I remember… But if I use those, I can’t write obfuscated code that no one including myself can figure out 6 months later… Oh wait… Nevermind… I can use Perl! That way I can write obfuscated code without even meaning too even if I do use comments! :p
Isn’t that what high level refactoring is? Rewriting code, removing parts you don’t need.
So you should never rewrite code that works? Well by that thinking I will be driving a Chevette for the rest of my life (just because it works.)
In fact, while we are not rewriting and improving code, why don’t we all stop using alternative operating systems and run MS Word?
If you value quality, performance, and robustness you should refactor code often. This can involve complete rewrite and major architectural changes.
So you should never rewrite code that works? Well by that thinking I will be driving a Chevette for the rest of my life (just because it works.)
I guess it comes down to a matter of definitions. I don’t view refactor == rewrite. Rewrite, to me, means that you throw away code and start from scratch, so rewrite == “rewrite from scratch.” Refactor, OTOH, == “clean up, make legible, but don’t re-do.” Perhaps my definitions above wer e too terse and unclear.
Much of the open source code out there is so badly written that there is no way I am allowing to polute my software.
Now this is something that I agree with, actually. However, the point I was making was not the willy-nilly inclusion of open-source code, and not to start a “Open Source code is better than closed source code” flamewar. (Incidentally, there’s no answer to that issue, as, by definition, closed source code is not visible, so there is no way to know its quality — one can only infer it from the resulting binaries.) There are a lot of bits of Open Source code out there that are very good, that are worth using, and that it makes no sense to re-invent. We trust code from vendors every day. A great deal of Windows softare RAD comes from the fact that you have pre-compiled OCX’s (and now, CLR libraries) often coming from 3rd parties (i.e. not MS). You don’t get the source to those, so you have NO IDEA how good/bad they’re written. Having the source means that the debugger can step through EVERYTHING including the CRT and kernel and other nasty bits that often get overlooked for bugs when doing userland stuff.
Cheers,
Ken
PS: If you’re looking for utility, then yes, drive a Chevette [/i]ad infinitum[/i]. 🙂
The problem is, too many software engineers fall into the “creeping elegance” and never believe something can’t be improved. In my opinion, if it works, it’s good.
What they’re really trying to do is make the public (and corporations who still use older products) believe that running their older products will allow terrorists to take over/destroy the US/world using their systems because the older software has really bad bugs that would allow it. By doing that Microsoft then has convinced yet more people that upgrading, and spending more money, is The Right Thing To Do. Go on, upgrade it’s The American Thing To Do, because if you don’t then you’re obviously working with The Bad People and want to Destroy The American Dream. Either that or you’re just happy running your old software, but happiness and contentment isn’t allowed, didn’t you know, didn’t you read the email?
“Now this is something that I agree with, actually. However, the point I was making was not the willy-nilly inclusion of open-source code, and not to start a “Open Source code is better than closed source code” flamewar. (Incidentally, there’s no answer to that issue, as, by definition, closed source code is not visible, so there is no way to know its quality — one can only infer it from the resulting binaries.)”
That’s true. I wasn’t intending to start an open source vs. closed source war either. You are right, if I use a commercial library that does not give me the source, I have no way of knowing whether the code is any good or not. I have to base my assmuption on the quality of the binary, and also on the assumption that a commercial company is going to do some quality assurance testing before they release a product.
“There are a lot of bits of Open Source code out there that are very good, that are worth using, and that it makes no sense to re-invent.”
That’s true. Assuming the code is licensed under the LGPL and not the GPL. Just my personal opinion, but I refuse to link against GPL code because of the virus properties of the GPL license. Any code you write that is linked against a GPL library automatically “inherits” the GPL license from the library you used. The LGPL avoids this problem of course, and I have no problem with using well designed LGPL libraries in my software (GTK for example).
please take it easy
GPL just say: want to use it in your code? Play with our rules. Do not like them? You are free to ignore our work.
there is nothing viral.
Is like blaming someone for asking you to sing a NDA if you want to use their closed code.
Same stuff. or you like and play fair or you don’t and then just forgot about it.
Plain and simple
I don’t know what makes certain Windows code “outdated”, but I think that they have it backwards. Rather than go after older code because it might pose a threat, they could go after any code, old or new, that causes problems. I mean, it’s not like MS coders magically stopped making mistakes on a certain date! The new bugs just might be more insidious than rarely-used old bugs.
“GPL just say: want to use it in your code? Play with our rules. Do not like them? You are free to ignore our work.”
It is viral in the sense that anything code you write has to be GPL if it is linked against any GPL library. Even if it only uses a single function from that library!
This is why the LGPL was written. Originally, LGPL was written for the GCC compiler because the devlopers knew GCC wouldn’t have a chance if the libraries were licensed under the GPL.
Think about it. If GCC used the GPL for its libraries, any software you wrote that used functions from stdio.h would have to be GPL.
Want to use printf() in your program! Bzzt! Sorry, your software now inherits the GPL license!
Fortunately, GCC’s libraries are not licensed under the GPL.
That’s what I mean by viral. You can’t even use functions in a GPL library in your software unless you GPL your entire software.
What they are doing here is throwing away their old gopher stuff, which was the cause of a security hole in Microsoft’s software.
This is not re-writing from scratch, or even getting rid of code that could still be used.
NOBODY uses Gopher anymore.
NOBODY uses Gopher anymore.
That’s not true. In fact, just recently it was used in an exploit to compromise Windows security. Doh!!!
I think the problem with Joel’s argument is that code does “rust”. Example: System calls become depreciated/replaced, assumptions about the system become untrue (int size [16->32 bit shift]/etc), paradigms shift dramatically (e.g non-threaded -> threaded Solaris 2 or DBMS systems to some extent).
These modules do need to be refactored/rewritten.
Similarly, I don’t know a company who completely throws out code without due cause. E.g. Netscape (Joel’s example) needed to get rid of IP that wasn’t their own, same with the BSD “rewrite”. Even in these cases, a good portion of the code was kept, but specific modules were replaced with something that was more feature bound/their’s.
Just when NT was getting secure and fully patched.
<a href=”http://newsforge.com/newsforge/02/06/05/1228236.shtml?tid=2“>htt…
Security thru obscurity is what Windows and IIS are all about, I don’t think it’s really successful. Ofcourse it is going to work at the start, but as soon as some more people start to do the same trick, your once “obscure” software will become somewhat “mainstream” and make it up to the kiddies hangouts.
The best security possible is the one offered by open source software. If ppl can’t figure out how to enter in the system even though they have the sources right in their face and thousand of instances of the software available for probing, then you can say it’s _secure_.
<sarcasm>I’ll do a ROT14 on my documents and won’t tell anyone.. AHAHA! now I’m 100% secure!</sarcasm>