Home > Windows > For Windows, Less Fat Means Fewer BugsFor Windows, Less Fat Means Fewer Bugs Eugenia Loli 2003-04-30 Windows 26 CommentsWith Windows Server 2003, Microsoft is promising greater security. However, its 50 million lines of code mean it’ll never be secure enough. Read the article at BusinessWeek.About The Author Eugenia LoliEx-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.Follow me on Twitter @EugeniaLoli 26 Comments 2003-04-30 12:23 pm im naked 2003-04-30 12:25 pm Well considering everything included in the OS, is 50,000 KLOC really that big and uncapable of being secure? I would imagine that Mac OS X, *BSD, Solaris, AIX, and Linux are all within an order of magnitude of that amount. 2003-04-30 1:04 pm 50,000,000 lines not 50,0000 lines. And yes that is much bigger! 2003-04-30 1:33 pm What do you think the “K” in KLOC means? 50,000K = 50 million. Think or read before you post – either will do. 2003-04-30 1:55 pm Security is certainly important. However, many enterprises are probably not using Windows 2003 as their frontline servers. Didn’t one of the latest articles call Windows 2003 “ready to compete with UNIX” and “datacenter Windows” or something like that?What’s more critical than security is that the server actually work properly. And with 50 million lines of Microsoft code, the likelihood of that is very low.One can only wonder what the real bug count is… 2003-04-30 1:56 pm Or both, preferably. 2003-04-30 2:07 pm I bet I could take the same exact medium required to store Windows 2003 Server code and save EVERY version and even milestone in FULL of BeOS, and probably still have room for the code for a Linux distro’s base code.Winders has so many lines of code because developers use to be paid by line. I am not sure if this is still the case at M$, but it surely isn’t one that is going to turn out effecient code (I can take one line in BeOS to create an application, and run it, and clean memory up, or I can use two hundred to do the same thing by simply overriding hook calls already in the system. $$ 😉 ).–The loon (Soo busy….soo..soo…soo busy…and pretty close to broke…) 2003-04-30 2:09 pm I am not really use to seeing things displayed in such a screwy way!thats like saying I have 2000 mL of pop…just werid I guess.And thanks for being nice man….(Think or read before you post – either will do) I bet you never screw up! ahole 2003-04-30 2:30 pm Just curious… all this talk about Longhorn and submitting back data to Microsoft to get rid of piracy and things like that…Is there anything known about the 2003 Server? What can we/I expect? 2003-04-30 2:39 pm If Microsoft would have actually bitten the bullet and had gone with a modular Windows OS setup, instead of trying to tie everything into one OS package, they’d actually have probably more success in sales, security and would be more welcomed in the Enterprise Server market.We all know they CAN do it, but they just don’t want to for some reason.If you only load the OS and services you NEED on you system, that reduces the time needed to lock it down and returns on investments go way up.Vic 2003-04-30 3:22 pm The article was going okay until I got towards the end… Windows is extremely complicated, for all those features that people like and need, they require code. The idea that simply reducing the # of lines of code will stop bugs in ridiculous. The stated goal of having fewer lines of code then in previous versions is also ridiculous. 2003-04-30 3:35 pm well, the reason MS has so many lines of code is that they havevery little code reusein the system. if a team gets paid by the line and they can get the job done by calling a function or a class they will do it the long way and reimpliment the entire thing so they have more lines of code.10 bucks says tehre are 10 diffrent print functions or objects (depending on if they use C or C++) in that code. 2003-04-30 3:47 pm ” Well considering everything included in the OS, is 50,000 KLOC really that big and uncapable of being secure? ”Well, it depends on how those lines of code are structured. Microsoft likes to tie everything into core OS functions. This means that even your humble Web browser ar e-mail client can be a major security risk. By contrast, GNU/Linux and Mac OS X modularise things much more. A hole in Mozilla or Apache can’t compromise your system nearly as much as a hole in IE or IIS can.If you really must use Windows, you are much safer if you turn off everything you can in the OS and you don’t install anything that is made by Microsoft. 2003-04-30 3:51 pm 10 bucks says tehre are 10 diffrent print functions or objects (depending on if they use C or C++) in that code.Depending on the technology you use when programming for windows, you might use a RECT (Windows SDK) or a CRect (MFC) or a Rect (GDI+) to identify a rectangular area on the screen.And then you have all the different string types… C strings, STL strings, MFC CString’s, and VB/COM BSTR’s. And then you have to remember which is ASCII and which is Unicode and how to convert between the two and between the different string types.It’s all a big ugly mess. 2003-04-30 3:54 pm which is why it would be more secure and more stable will less code…you can get rid of the mess.I think <S needs to have a side project that rewrites windows using one standard and stick with it. 2003-04-30 4:04 pm Being that it is closed source, all of your comments regard the Windows source, are pure speculation… 2003-04-30 4:05 pm As far as I know, but only as far as I know, MS has never paid by the line. Remember MS was started by a few software geeks who knew better. IBM, however, was an established hardware (not really computer hardware) company that didn’t understand the smaller is better idea. They did pay by the line and their code grew fat because of it. I think this is where paid buy the KLOC thing about MS got started. Once again this is as far as I know, but only as far as I know. 2003-04-30 5:13 pm Seems lots of people harp on about this ‘paying by the line’ for code (IBM, MS..) and just as many people saying it’s a mere myth. It certainly sounds like bull.Are there actually any facts regarding it? 2003-04-30 5:28 pm I remember reading an interview with Gates years ago when he talked about IBM, who were obsessed with the idea of paying by KLOC and how dumb he thought that was.However at 50M lines then it looks like that lesson has been forgotten, thats a horrifying amount of code, seems hard to believe that its all good. 2003-04-30 5:38 pm im nakedAnd you’re not wearing any clothes too. 2003-04-30 6:24 pm I thought the article provided good information, good editorializing and good theories… but the author went a little too far with his clever little word games. Why can’t he just say “Microsoft” or “Windows” instead of making up little gumshoe detective jokes every time? It cuts down on both the readability and the integrity.50 million lines of code is an astronomical amount and I would never ever want to be involved in a project that was so big. I expect that the people at MS are extremely organized and skilled in order to handle all of that, but I wonder how much more impressive their work would be if they spent five years making the code-base smaller, more efficient and did not add a single new feature. This would NEVER happen. Not to any commercial software maker. This is why commercial software only gets bigger and slower. When was the last time a company thought it would be profitable to actually make their product more efficient? They only think about features. 2003-04-30 7:30 pm I agree but adding more code increases the complexity of the particular component. This will indeed create security holes. Second thing is if your main bussiness runs on databases, mail or webbase application, your need not have a GUI based components. Setting such services from text base console is most appropriate.I will save much of ur ram and processing time. IF u are using graphic applications then GUIcomponents are must. Finally a server os should be scalable to needs and wants of organisation. I think if Microsoft wants to Make their OS a successfull high end server then it should address these points. 2003-04-30 7:33 pm Jesus Christ. Once again anti MS zealots prove their stuborness and illogical level of hate. Can’t pick on Win2k3 on the stability and performance side anymore? Well who the hell cares, it’s 50 MILLIONS LINES OF CODE!!! It’s GOTTA SUCK!!! Give me a friggin break. If MS revealed tommorow Win2k3 is just a window manager running linux underneath you’d still find something to bitch about. 2003-04-30 7:46 pm If MS had a team coming up behind all their programmers rewriting their code, what is the point of having the first line of programmers? They would just be making a function work enough to ship, then in the next point release the backup team will reduce the code to make it faster / more secure? Seems horribly inefficient, perhaps a do it slower/right the first time would be better mojo…And how much code can actually be removed? It’s not like windows can be coded in a couple million lines of code, even in an extremely high level language. Which raises the point that at some point all the code must be compiled and 1 line of c++ can become 20 lines of assembly/binary code. So whatever code you do remove from windows is multiplied enormously by the code that will now never appear downstream.In any case, all the studies I see show linux has just as many security bugs as microsoft over the years but idealogues like to slam MS because it gives them a boner or something. Windows may have tons of security holes, but most will never be found due to its closed source. Linux may have fewer security holes, but more of them are found because of its open source. It all balances in the end.Hmm, I only got half a boner from this…well i’ll rub one out anyways. 2003-04-30 7:49 pm Eventually security will plague Windows because it is the widely used operating system 2003-05-02 1:41 am Usually, before people bother to chime in with a correction they take the time to check their own facts. Take it any way you want, but I still think it was/is sound advice. If you’d take it to heart, maybe you’d screw up less often?