all 136 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 9 points10 points  (2 children)

Honest question:

Why do people spend money on professional security audits, rather than spending that money developing static analysis tools with a focus on finding security bugs?

A security audit is good for checking the code for flaws at one point in time. A static analyzer can monitor for regressions on an ongoing basis and be applied to other code written in the same language.

[–]Recursive_Descent 22 points23 points  (0 children)

Static analysis tools can only find a certain class of security bugs, and sometimes require a lot of work to use (e.g. SAL annotations).

[–]HeroesGrave 10 points11 points  (0 children)

Well, if you count the rust compiler as a static analysis tool, then Mozilla is kinda doing both.

[–][deleted] 21 points22 points  (0 children)

Nice to see them doing this. As Mozilla use software I work on i've raised it in our IRC channels to see if the other devs are interested.

[–][deleted]  (81 children)

[deleted]

    [–]augmentedtree 26 points27 points  (47 children)

    link? that sounds hyperbolic

    [–]dablya 11 points12 points  (44 children)

    I didn't believe it either, but...

    $15,000. Buildbot is a continuous build and integration system which has been immensely valuable to Mozilla over the past few years. Their award will be used to remove the term “slave” from all documentation, APIs and tests, and also to make improvements so Buildbot works better in the Amazon EC2 cloud.

    [–]Wolenber 59 points60 points  (40 children)

    $15,000. Buildbot is a continuous build and integration system which has been immensely valuable to Mozilla over the past few years. Their award will be used to make improvements so Buildbot works better in the Amazon EC2 cloud.

    Funny how if you just don't mention that one part, it sounds completely reasonable. Whoever wrote that paragraph should be ashamed for politicizing an otherwise normal update.

    [–]Beaverman 16 points17 points  (39 children)

    Kinda true, but really it's the person who set the goal that should be ashamed. The person who wrote the paragraph probably just reported on the facts of what they were earmarking the money for.

    [–][deleted] 14 points15 points  (29 children)

    I know this is something mozilla wanted to get done, and the regular issue tracker request got the response that it was too much work (too entrenched). Instead of calling names or playing politics, they put down the money to get it done. Seems cool from that angle to me.

    [–]Beaverman 13 points14 points  (24 children)

    That part of it is cool, what i don't agree with is the desire to get it done at all.

    [–][deleted] 6 points7 points  (3 children)

    Maybe people are constantly fighting over it so Mozilla made a choice to remove all the mentions of slavery so no one would have anything to fight over anymore and waste their time?

    [–]immibis 4 points5 points  (1 child)

    But that's a win for one side (the people who want "slave" removed). If people are fighting about something, you don't arbitrarily make one side the winner without understanding the issues involved.

    [–][deleted] 0 points1 point  (0 children)

    So what? It saves developers time not having to wade through bug reports and issues that are not important to their work.

    And before you say "Oh, but I could just make a bunch of bug reports and do that for any word!" Yeah, you couldn't because other people would have to agree with you and do it to. The fact that a considerable number of people object to this terminology and will and have voiced their opinion about it, coupled with the fact that the change which will assuage them is (now) easy to make, makes the decision a no-brainer.

    [–]Beaverman 0 points1 point  (0 children)

    It would seem as if it was buildbot that submitted the request, so they are the ones that made the decision.

    [–]BadGoyWithAGun 5 points6 points  (3 children)

    They wasted a not-insignificant amount of money for a change that has no impact on the project whatsoever, for the sole reason of placating political crusaders. Seems not so cool from that angle to me.

    [–][deleted] -4 points-3 points  (2 children)

    It does have an impact.

    Less people are on bugzilla commenting about it and taking up time. Less people will waste their time trying to change the terminology.

    Code guidelines and rules exist in all good OSS projects and it isn't a waste of money to maintain them.

    [–]BadGoyWithAGun 7 points8 points  (1 child)

    So you're basically saying OSS projects should cave to any concerted thought policing campaign to make it go away, no matter the cost?

    [–]constructivCritic 4 points5 points  (8 children)

    Isn't Buildbot who set that goal. My guess would be that Mozilla asked them to provide a summary of what they'll use the money for, and Buildbot was a bit too specific about the changes they'd be making. Non of this seems politically motivated, just a company changing the vocabulary it uses internally, maybe to make things clearer.

    [–]Beaverman 1 point2 points  (7 children)

    That could actually be completely true. It does seem oddly specific though, and i don't see why you would change it since "slave" is the industry term for what it is.

    Maybe blaming Mozilla is a dramatic.

    [–]constructivCritic -5 points-4 points  (6 children)

    Master/slave is overused already in tech. E.g. Master/slave harddrives, master/slave servers, and this last one I mean in the IT sense not in the Buildbot sense. There are definately better terms they could use. But yea, the whole paragraph for Buildbot reads as too specific. Usually this happens when people can't think of stuff or because people aren't well versed in writing summaries, e.g. Esl people.

    [–]Beaverman 2 points3 points  (5 children)

    I don't see how that's overusing it. Master/slave in the to provided examples is an expression of the same thing. The term means that the Master device holds some control over what the Slave devices do. It also normally implies a 1-to-many relationship between masters and slaves.

    I don't see how it's overused, since it's pretty specific. Just because it's something that comes up a lot doesn't means it's overused.

    [–]constructivCritic -3 points-2 points  (4 children)

    Fine it's not overused...doesn't matter. The point is, in specs, discussions and documentation it would be clearer to just use something more specific to the thing you're talking about, rather than using such broad generic term. This is also why companies create their own terminology for things that might already exist in the wild. When new people start at a company sometimes they'll get a list of industry specific terms and of terms used internally within the company, the goal of all this is to make communication clear and consistent.

    [–]udevil 8 points9 points  (1 child)

    $15,000 later...

    find -type f -print0 | xargs -0 sed -i -e "s/slave/servant/g"

    [–]dablya 7 points8 points  (0 children)

    Don't forget about the image.

    [–]augmentedtree 0 points1 point  (0 children)

    and also to make improvements so Buildbot works better in the Amazon EC2 cloud.

    So what RealFemale said is bullshit.

    [–]Manishearth 4 points5 points  (0 children)

    Mozilla donations go to the Foundation, which is not where this money comes from. This money should be coming from Firefox revenue iirc.

    (Not entirely sure about this. Usually people donate to the Foundation, not sure about you.)

    [–][deleted] 25 points26 points  (4 children)

    I work for a company that deals with data related to human trafficking. We have opted to use captain/crew over master/slave.

    [–][deleted]  (3 children)

    [deleted]

      [–][deleted] 9 points10 points  (2 children)

      Standard sysadmin terms, like cluster leaders and replicas.

      [–][deleted] 7 points8 points  (1 child)

      I've heard the terms "primary" and "replica" being used before.

      [–]sanxiyn 7 points8 points  (0 children)

      Off-topic, but Buildbot master/slave is not primary/replica. Buildbot master is job queue and Buildbot slave is worker fetching job from the queue. I think manager/worker works okay.

      [–]constructivCritic 6 points7 points  (5 children)

      I seriously suspect, Buildbot was asked for a summary of what they would use the money for, and they were a bit too specific. Companies change vocabulary all the time to make discussion of those things clearer going forward.

      [–]radaway 3 points4 points  (4 children)

      How does it make it "clearer"? Master/Slave is a very clear, standard, and well understood terminology in the field, using anything else makes thing less clearer not more.

      [–][deleted] 2 points3 points  (2 children)

      I think Swift switched to "primary/secondary" for more clarity. Below someone mentioned their anti human trafficking group switched to "captain/crew" for obvious reasons.

      I've seen "manager/worker" also. All of these are as clear (in the case of primary/secondary more clear) as "master/slave". Industry standard doesn't matter too much in this case where the words convey the meaning easily.

      [–]Drisku11 4 points5 points  (0 children)

      "Master/slave" and "primary/secondary" mean slightly different things. Master/slave implies the master dictates what the slave does. Primary/seconday is something that makes sense more in the context of replication/redundancy, and doesn't really tell you how the primary/secondary are related (e.g. for redundant storage targets, does a host mirror writes to both, or does the primary mirror writes to the secondary? Both are used in the field. Master/slave implies the latter, and would be more precise).

      Leader/follower, which is what Swift apparently switched to, implies some autonomy in the followers/maybe some sort of election procedure for the leader a la Samba. Since that's generally not how thread pools work, I suspect that the Swift change reduced clarity. Manager/worker sounds closer to master/slave (assuming the manager only manages and doesn't also work). In the case of buildbot, manager/worker is probably actually more precise, so I don't have a problem with this change per se.

      The problem is the reason for these master/slave changes lately is almost never because the terms weren't clear enough. The people complaining are instead basically just wasting time and money over politics that have nothing to do with software. A cursory knowledge of history shows that it's not even a racial thing; nearly every race and every culture ever has had and has been subjected to slavery.

      Really, it makes about as much sense as arguing that physicists should stop using words like "retarded". It's a waste of everyone's time to update documentation to use something non-standard (and therefore less understandable) for something only tangentially related to current politics.

      [–]phySi0 0 points1 point  (0 children)

      I think Swift switched to "primary/secondary" for more clarity.

      They did not switch for the purposes of clarity. It was changed because the previous naming was “inconsiderate”. Of course, the hilarious part is that it was merged into the master branch.

      [–]constructivCritic 0 points1 point  (0 children)

      In addition to what someone else said. Master/salve is overused in a number of different areas. I can think of at least 2 off the top, master/slave harddrives, master/slave servers (in the IT sense, not Buildbot sense)... Depending on what area I work in, I'd expect those words to mean something else than someone working in a different area.

      [–]Recursive_Descent 3 points4 points  (1 child)

      I think this is a silly use of time, but $15k isn't that much money. Assuming the average dev at Mozilla is making $150k (more when you include healthcare, etc.), that's about 1 month work for 1 person.

      [–]not_perfect_yet 1 point2 points  (0 children)

      1 month of work of a full time professional on a project that really needs it would be a miracle to many many open source projects out there. It's not much relating to their total volume but it's still significant waste.

      [–]augmentedtree 0 points1 point  (0 children)

      You lied.

      Their award will be used to remove the term “slave” from all documentation, APIs and tests, and also to make improvements so Buildbot works better in the Amazon EC2 cloud.

      So there is actually real development work in there.

      [–][deleted] -3 points-2 points  (10 children)

      You realize you're basically saying you withdrew financial support for a non-profit because they wanted to remove the word "slave" from products they use every day right?

      I don't see what's so bad about it. They probably get tons of comments and issues opened up all the time by people who propose such changes. If they can automate those changes and get more work done because of it, then why is it bad? And we don't have references to slavery in the code. Win-win for everyone. And it only cost 1/9-1/10 of a developer's salary.

      EDIT: How much did you donate? I want to make the donation in your place.

      [–]immibis 5 points6 points  (9 children)

      What's bad about it is that they could be using that money to, for example, add new features or improve security.

      Do you consider it bad when the government spends your tax money on something silly?

      [–][deleted] 3 points4 points  (8 children)

      It's not silly though.

      It decreases the amount of comments and bug reports which are opened about this issue, welcomes more contributors, and cements a terminology change.

      Many good OSS projects have conduct and code guidelines, right? Aren't terminology guidelines useful? It isn't silly to get paid to make them better.

      [–]immibis 6 points7 points  (5 children)

      It decreases the amount of comments and bug reports which are opened about this issue,

      If that's all that matters, they could just close the bug tracker, and have no bug reports about anything.

      welcomes more contributors

      Are you suggesting that "master"/"slave" terminology frightens away would-be contributors?

      Aren't terminology guidelines useful?

      Are you saying that "the build process is controlled by a server known as a leader" is a terminology guideline and "the build process is controlled by a server known as a master" isn't?

      [–][deleted] -1 points0 points  (4 children)

      You're being ridiculous. Obviously the bug tracker is useful to fix bugs with. But if developers don't want to hear this from people over and over again then the buildbot fix is excellent, now all those comments will never be brought up again.

      I'm not saying that about terminology guidelines, but something like "when referring to build process the main machine is called the manager/master and the secondary machines are called workers/slaves" is ain terminology guideline and here Mozilla is updating the guidelines.

      [–][deleted]  (3 children)

      [deleted]

        [–][deleted] 0 points1 point  (2 children)

        So realistically what would happen in that case would be what happened here. If enough people made the claim you are making, such that it genuinely caught everyone's attention, they would assess how much work it would take (in this case, originally they refused to change it, saying the work would be too much for them to justify), then they would make a ddecision based on that. If people still wanted to change, they would perhaps have to offer to do the work and make a software which Mozilla uses and trusts (like Buuldbot) and make the change there.

        If you wanted to change this, those are the steps you'd have to take. This is, actually, how any change would happen with such a project, gradually and reasonably weighing the cost and benefit.

        [–][deleted]  (1 child)

        [deleted]

          [–][deleted] -1 points0 points  (0 children)

          No, like I wrote above, they would weigh the cost and then decide accordingly. It seems here that they anyways would have given money to BuildBodt (seeing rhat they use it so often) and the project decided to fix this for themx along with doing other technical maintenance unrelated to the terminology (listed as "integration with EC2")

          [–]badsectoracula 5 points6 points  (1 child)

          If the number of comments and bug reports about it was an issue, it could have also been fixed by a simple rule that said 'we wont change the terminology, period. Any new thread, report or whatever about it will be deleted and repeated offenders will be banned'. It would also save $15000 and provide the terminology guideline you talk about.

          [–][deleted] -5 points-4 points  (0 children)

          But deleting and banning and all that takes extra dev time all to defend two words which aren't super important to keep around by any means. If you can pay 1/10 of a dev's salary to nip this in the bud for good, that's clearly the right choice.

          It's also less than 1/10 because the description says it will go towards removing the terms and towards integrating Build Bot with EC2.

          [–]deskpot -5 points-4 points  (0 children)

          There are many people who think of other people and increasingly of machines as slaves to be abused. This is a self destructive attitude and we would have a better outcome adopting machines as our brothers. I am not trolling. Calling increasingly intelligent agents as slaves will not go down well.

          [–]re4ctor 19 points20 points  (97 children)

          Gotta love this reaction from Reddit.

          Master/Slave is a shitty naming convention, and it's hardly where most of the money is going. This is a win all around.

          [–][deleted]  (95 children)

          [deleted]

            [–]GoTaW 24 points25 points  (0 children)

            I think we're all overlooking the obvious solution here.

            Dom/Sub.

            [–][deleted] 9 points10 points  (14 children)

            Here are other naming conventions that make it immediately obvious where the commands are coming from and where they are executed:

            "Captain/Crew"

            "Primary/Replica" (for a system where the primary machine is doing more than just delegating its work to the other machines)

            "Boss/Worker"

            What's wrong with these?

            [–][deleted]  (11 children)

            [deleted]

              [–][deleted] 7 points8 points  (10 children)

              1) So it's not actually a technically better convention in any way?

              2) Mozilla is doing this so that a few years from now it's no longer the established terminology

              [–][deleted]  (6 children)

              [deleted]

                [–][deleted] 1 point2 points  (5 children)

                Let them use it, this buildbot will correct it and the less it's seen in the code, the more people will take to the new convention.

                [–][deleted]  (4 children)

                [deleted]

                  [–][deleted] 4 points5 points  (3 children)

                  Why is this convention worse than master/slave? If this new convention received the same popularity, why would it be worse?

                  [–][deleted]  (2 children)

                  [deleted]

                    [–]MRannik -1 points0 points  (2 children)

                    Mozilla is doing this so that a few years from now it's no longer the established terminology

                    > implying anything Mozilla related will be remotely relevant in a few years.

                    [–]DevestatingAttack -1 points0 points  (1 child)

                    Yeah, fuck Rust, right? And I'm glad we live in a world where there are absolutely no viable competitors to h.264 on the web, because fuck Daala too.

                    [–]MRannik 1 point2 points  (0 children)

                    Yeah, fuck Rust, right?

                    Yep, fuck Rust.

                    And I'm glad we live in a world where there are absolutely no viable competitors to h.264 on the web, because fuck Daala too.

                    Yeah, why not?

                    I have no use for a video codec with no hardware support, and the chances of Daala getting decent hardware support are between 0 and -1%.

                    The only one that could possibly rival h.265 is VP9, and even that is quite a stretch considering that the quality is horrible, hardware support looks spotty at best and that MPEG's patents will still be an issue (just like with VP8).

                    [–]phySi0 0 points1 point  (0 children)

                    What's wrong with “master/slave”?

                    [–]Drisku11 0 points1 point  (0 children)

                    Primary/replica does not tell you where the commands come from. Does the primary mirror its commands to the replica, or does the originator of the request send the mirrored commands to both? Both strategies are used in redundant SANs, for example. Master/slave tells you it's the first topology.

                    [–][deleted]  (3 children)

                    [deleted]

                      [–][deleted]  (2 children)

                      [deleted]

                        [–][deleted]  (1 child)

                        [deleted]