Ruminations on Mr. Safe

A few months ago Tim Bray posted a conversation with a hypothetical Mr. Safe which attempted to explain why a conservative business manager such as the CIO of a bank wouldn't deploy a technology like RSS. Tim Bray points to reasons such as the fact that it wasn't produced by a "standards organization", there are ambiguities in the spec and the existence of competing versions for justification for why he believes the typical Mr. Safe would not deploy RSS.

Shortly afterwards Joshua Allen pointed the major shortcoming of Tim Bray's arguments; most Mr. Safes are pragmatists and late adopters (see the Technology Adoption LifeCycle). Their decision making process for choosing technologies is more driven by following the pack and adopting tried & tested solutions than it is by technical specifics of a particular solution to a problem. The CIO of a company is more likely to be impressed by the fact that a technology is being deployed by multi-billion dollar companies like Microsoft, Yahoo and Sun Microsystems or household names like The New York Times, BBC, and Rolling Stone than it is by whether the spec is considered to be well-written (for some subjective definition of well-written) or how few flame wars the people behind the spec have been in.

The more I think about this the more I agree with Joshua's postion. I am definitely not impressed by protestations that there are ambiguities in a particular technology specification given that most technology specs are full of holes. It doesn't matter if it is an ANSI spec (e.g. C++), a W3C spec (e.g. W3C XML Schema) or an IETF RFC (e.g. RFC 2396) there are always ambiguities or flat out errors in the spec that lead to conflicting interpretations and in many cases user confusion. The fact that the spec is produced by a standards body does not prevent this from happening and in many cases encourages it [especially if the august body is the W3C with it's culture of compromise between conflicting design goals].

I recently have had to deal with the .NET Framework's equivalents of Mr. Safe. One of my job duties at B0rg Central is responsibility for the implementation of the W3C XML Schema recommendation in the .NET Framework (i.e. the System.Xml.Schema namespace). Due to the complexity and inconsistency of the recommendation there have been a large number of errata published for the spec; over a hundred by my most recent count which can be confirmed by checking the W3C XML Schema Errata page. A number of these errata change the behavior of W3C XML Schema implementations and cause schemas that were valid under the original versions of the spec to now be invalid. Implementing these changes means that when users upgrade the .NET Framework and get a new version there is potential that their previously working applications would be broken through no fault of their own. At B0rg Central such changes to the behavior of an API are considered to be "Breaking Changes".

For a breaking change to go from a bug being entered in my team's bug database to the fix being checked in, it has to go through 4 different groups of meetings where the impact of implementing the change is weighed. Why? Because when you have customers who spend millions of dollars buying your software then deploy it on thousands of desktops they want a very good reason when you break their applications because they upgraded an application component such as the .NET Framework.

Sitting in a room trying to justify to a bunch of folks who don't use XML why breaking working customer applications to fix Errata E2-12 (for example) of some W3C spec is such a good idea is an enlightening experience. Considering that I've had to deal with some of the behavior changes between v1.0 and v1.1 of the .NET Framework while working on RSS Bandit it is interesting to be on both sides of the fence. On the one hand I believe standards compliance is important but on the other I'd be pissed if RSS Bandit didn't work on the next version of the .NET Framework due to some breaking change made because framework more standards compliant especially if the previous uncompliant versions worked just fine for me.

Why aren't things ever just black and white?

#

File Formats and Political Scandals

It's always interesting to see the different ways features in software end up getting used outside the core scenarios that were envisioned when they were designed. I doubt the folks who designed the various change tracking and revision history features in Microsoft Word^(R) would have envisioned the hubbub in the British government a few months ago.

A related Slashdot article has a number of posts from people who've also taken advantage of information leaked in this manner from people who share documents with them. This reminds me of the one of the sessions on security I attended during the Security Push last year which talked about "Information Disclosure" and how many people don't consider it when designing applications

Anyway, if you share Word documents with people and would like to reduce the amount of metadata in the document that they can recover I suggest reading the Microsoft Knowledgebase Article 290945 which points to ways to stop the aforementioned information leaks from happening when sharing documents.

#

SoBig: An Outlook Virus?

Tim Bray has a post entitled On Email where he writes

Everybody knows that this week's virus-storm has hit so hard because everyone runs Outlook; so one way to improve the situation is to not run Outlook. Herewith consideration of some pros and cons, and a look at a few email alternatives, including Eudora, Mozilla, and Pegasus.

This was written during the height of the mail storm generated by the SoBig worm. From the various advisories I saw the SoBig worm's primary method of spreading was "social engineering", basically it sent mail with generic titles and an attachment that people were encouraged to click. On execution the worm had its own built-in SMTP mail client and found email addresses to send itself to by searching the web browser cache for web pages with email addresses in them.

I don't see anything to specific to Outlook in its modus operandi unless Outlook is the only mail client that allows you to receive attachments.

#

It's About Time I Picked Up A New Scripting Language

Python on the .NET Framework - How U Luv Dat?

#

A Blast from the Past

I was recently contacted by Mark Wilson about an article I wrote a few years ago when I was still in school and enamored with XML database technologies. He liked it enough to want to run it on his site. If you'd like to read my opinions from two years ago when I was still a starry eyed college kid fighting off publishers who wanted me to write an XML database book then you should check out An Exploration of XML in Database Management Systems currently on the TopXML webpage.

#


--
Get yourself a News Aggregator and subscribe to my RSSfeed

Disclaimer: The above comments do not represent the thoughts, intentions, plans or strategies of my employer. They are solely my opinion.