Gnu/Linux Considered Harmful

[Marco]

Avoiding buffer overflows in C is trivial.  Just read and understand the language standard.

No, the real trick is never making mistakes.

[rhodges]

Avoiding buffer overflows in C is trivial.  Just read and understand the language standard.

No, the real trick is never making mistakes.

Yes, agreed. I was recently bitten by a silly mistake. I have a pointer to a counter that I want increment...

Code: [Select]

*ptr++Yeah, that mistake bit me...

[Karel]

No tool (or language) is going to improve the situation as long as companies don't want to pay more for skilled programmers
and relax the deadlines. The thing is, if a company releases later to give their programmers more time, and if
that software is more expensive than the competition, they go out of business.
So, in the end, it is the client that should be willing to pay more for better software.

I don't see a real solution here.

[borjam]

But Linux has gone backwards related to Unix in several ways.

I partially agree, and partially disagree.  The kernel is definitely gone forward.  A lot of services considered part of the OS have gone backwards.

So, the OS goes?

And it's become a showcase of poor practices.  That makes it harmful.

I don't think the existense of distributions using horrible practices is enough to label the entire OS harmful.

I don't think it's only a matter of some distributions. There are ways in which the Linux crowd, as a whole, hasn't got the good principles right. From those problems (example: Linux is a kernel, not an OS) you can derive other poor practices.

Awww, sorry. You are right, buffer overflows were a thing of November 1988.

Stop trolling.  You know that's not what I am saying.

I know, just pulling your leg The current wave of "IoT" crap is not Linux fault at all, but crappy developers who just want the software running and won't care about consequences. Same thing happens with high end instruments running Windows.

Yes, C does not have native buffer overflow detection or bounds checking. This is a big problem, because C developers do not bother to do bounds checking themselves. We should have fixed this ages ago.

I don't think C and Unix have been bad. Quite the contrary. But C is a systems programming language pretty similar to programming in assembler. The problem is, couple that with a heavily networked world in which your programs won't be communicating only with trusted sources and you have the recipe for disaster.

Yet, even fixing it would not affect the security of Linux-based appliances (routers, media players, TVs, and so on) much, because the manufacturers tend to misconfigure their services, especially leaving "hidden" logins with fixed usernames and passwords.

Not only that, but extremely poor practices. But they would have botched it with any other OS. You are right.

Still Linuxisms have harmed the portability of most software targetted for Unix systems. Now it's targetted for Linux. That's harm in my book.

Just because crappy people do crappy stuff with some tools, does not make the tools themselves crappy in my book.

Again, phylosophical differences are key here.

[borjam]

Wasn't Booch the asshat responsible for UML and RUP?

Oh. I remember when software engineering was about designing better software, modeling it better and understanding it.

With structured design (Yourdon, De Marco...) the specification tools really helped to design better software. I remember having used a kinda homegrown approach derived from the ideas outlined here (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.19.6735&rep=rep1&type=pdf and it really helped me not only model the system, but to make it better.

With the UML crap everything went downwards. UML is only useful to specify software for some cheap and crappy subcontractor.
Software Engineering self destructed.

I have no problem with object oriented programming. Most of the time programming against structures is OO masked poorly. Sometimes it's the only way to scale a large problem domain up effectively but you do have to know your shit to put a large bit of software together effectivel and without ending up with 80Mb clock applications.

That's why I cringe when I see that OO is introduced too early into the curriculum.

[bd139]

Quick scan through that while eating breakfast lines up with my understanding of the universe. I use a similar method myself. Most of what I build these days is task and message oriented connected with queues for a different reason. It does help with architecture and decomposition of the problem domain but one of the cool things is the designs usually automatically lend them selves to horizontal scalability.

I’ll have a read in depth later on train but looks spot on to me.

[borjam]

Quick scan through that while eating breakfast lines up with my understanding of the universe. I use a similar method myself. Most of what I build these days is task and message oriented connected with queues for a different reason. It does help with architecture and decomposition of the problem domain but one of the cool things is the designs usually automatically lend them selves to horizontal scalability.

I’ll have a read in depth later on train but looks spot on to me.

Look at the date

I learned of that article in a one week course on Concurrent Programming I took at the university in 1990 or so. The course was briliant and that paper was one of the recommended readings.  Another one was this, [url]https://www.csee.umbc.edu/~younis/Real-Time/Reading_Assignments/MARS.pdf[url].

These readings really helped me when I had to design a multi track audio recorder for stock markets and emergency call centers which could use several tape drives even network connected, allowed an operator to recall a recording in order to double check data provided by the caller, it used a hyerarchical storage management system (which I designed as well) and it achieved uptimes in excess of a year. The limit for the uptime was the useful life of the DAT heads which we worn out pretty quickly.

I really think that nowadays everything is going down the drain with too much focus on mastering huge libraries rather than fundamental principles. And those huge libraries are quickly surpassing the insanity in laws, swinging one way or the other in a complete chaos. Stack Overflow is going to be like a database of legal precedents!

[bd139]

Yes, all the good ones were 70s and 80s and mostly forgotten. Another good one is Hoare's CSP (tggzzz is a fan of that as well I note): https://spinroot.com/courses/summer/Papers/hoare_1978.pdf

I think some of the libraries do have some serious advantages. That is when you pick the right ones you get to concentrate on the business problem rather than the actual infrastructure to support it. Recently I built a quoting engine on top of some of them and I think I wrote about 2000 lines of code and it quite happily chewed up 100,000 messages a second on a commodity crapbox from HP.

It's very easy to turn some of them into a pile of crap and it's very difficult to find ones that don't lead you down a path to writing a pile of crap. That's the problem and really that comes down to discipline and experience, which is mostly lacking I find.

[rhb]

The complaint about FORTRAN 77 was that COMMON and GOTO destroyed locality of reference.

Now we have instead *no* locality of reference.  Hopefully the situation is better than the last time I touched a pile of C++ crap 20 years ago,  In order to set the breakpoint I needed I had to spend a ridiculous amount of time hunting for the parent classes so I could look at their constructors.

I was the lead scientific programmer.  They had intended to make the same mistake as the project we were replacing, use the code written by the research scientists. I managed to disabuse them of that folly. 

I was doing the most impeccable work of my career.  Everything had a header which documented the input and output arguments including minimum, maximum and default values.   The project lead documented that it took 6 man-weeks of GUI development for every man-week of scientific development.  As a conseqence I was well ahead of schedule and they were far behind.

I was asked to fix a bug in a GUI function.  It was several thousand lines of machine generated code from a GUI GUI builder which had been hacked by hand!  I fixed it, but was so appalled by the code quality that I told the project manager I would not work on any more GUI code.

I signed my work with my name and  ACM email address in the opening comment block.  I was laid off a month or two later and the company was gone within 6 months.  Because this was a super major acquiring a major, the deal required divesting certain assets.  I learned from a friend at the company that bought the divested assets that they got the software package I'd been working on.  They threw away the GUI code, but they kept my scientific libraries.

The 18-24 month "right sizing" cycle meant that I knew people everywhere.  I learned of this at an annual conference from someone I had worked with who was involved.

There are canonical phrases in every language.  For *ptr++ it is some variant of the following:

while( ptr && ptr < ptr+len){
   *ptr++ = foo( bar );
}

My extremely worn copy of "Standard C" by Plauger and Brodie has a note by the summary of gets(3c) , AVOID.  Unless I have read it that day, I *never* call a library function without reading the summary of the usage if I am doing serious work.  I might not bother if I'm doing a 10-20 line quickie for something. But even on those it's very rare I won't check the summary.

The papers linked in the last dozen or so posts are very good.  I'd not read Hoare's CSP, but I was thoroughly drilled in that by Tanenbaum and Minix.

I wrote *one* program in which all the functions communicated via global variables.  It was a complex parser which corrected for segments of missing data in a  database on the mainframe  so it was a loop calling about a dozen functions. When I was finishing it I noticed that all of the functions except for one took the same 4 arguments. One function had one or two additional arguments.  So I made the 4 arguments file scope globals and then changed the functions to "int func(void)" to highlight for anyone working on it in the future that there was one function that was special.

If I had wanted to be obscure, I could have passed the variables on the stack without explicitly passing them.  But that would have been a *very* cruel trick to play. There are a lot of diabolical tricks you can play if you know exactly what the compiler and linker are doing.  I'll occasionally write an example of such things, but only to prove a point about why something is poor practice. 

[bd139]

On gets, it was a stupid design. No bounds checking and no null termination. fgets replaced it. Explicit stream source, size_t length and null termination semantics. You can still use it wrong but it's your fault then

GUI stuff is the worst. I'll give Microsoft their due though, if you keep to the .Net stuff (winforms or WPF) it's not horrible to use. The underlying win32 / ATL / MFC / whatever unholy mess of the hour is vile however. For me, I tend to avoid GUIs entirely. I prefer programs to work with programs not humans.

Some of the higher level languages are nice...

using (var sr = new StreamReader("path")) {
    string line;
    while((line = sr.ReadLine()) != null) {
        // do stuff here
    }
}

Can't screw up at all there and usually you just write your stuff so it talks to a TextReader instead (the base class of the StreamReader).

Edit: for the unfamiliar, the using block is a resource management construct. The file will be closed automatically going out of scope and the reader and all memory disposed of.

[nfmax]

That loop says "AWK!" to me

[bd139]

For some cases of what’s in the loop, yes.

Inside that you can have a TokenReader and inside that an LL(k) parser for example. K being handled by a buffering token reader

[Nominal Animal]

I don't think it's only a matter of some distributions. There are ways in which the Linux crowd, as a whole, hasn't got the good principles right. From those problems (example: Linux is a kernel, not an OS) you can derive other poor practices.

It is not a single cohesive crowd, either. The conflicts between the kernel developers and the GNU C compiler (doing something completely un-useful just because the standard leaves it up to implementations) and the GNU C library (not exposing all Linux kernel interfaces, especially thread IDs, which could be very useful for Linux-specific application programmers) reoccur regularly.

That means there is nobody with a central vision for the GNU/Linux as a whole; it just ... happens by fiat.

I don't know of any way to do it better, though.  I don't think there is anyone with a better central vision; nobody I'd trust, anyway.  And in any case, trying to impose anything on the individual developers is just not going to fly, unless they voluntarily agree -- and based on the existing internal conflicts, there is zero chance of that.

Again, phylosophical differences are key here.

Yeah, or semantics.. as in what exactly is meant by "considered harmful" in the thread title.  I see the term strong enough to require one demonstrate actual harm that would be avoided by not using it at all, rather than base it on comparison to imaginary things or speculation.

I have absolutely no issues with others preferring other tools.  But when tools I use constantly, and without any measurable harm caused by me doing so, are labeled harmful, I need to object.  And not just because of personal reasons: I often contribute back to the society by doing so, mostly by helping others learn, but also via research (computational material physics, occasional computer science and math).  And I know a lot of others who do so too.  To me, it's like someone claiming that teaching kids is harmful, because it could be done better -- without even showing what those "better" ways would be in real life.

I really think that nowadays everything is going down the drain with too much focus on mastering huge libraries rather than fundamental principles.

I fully agree.

My extremely worn copy of "Standard C" by Plauger and Brodie has a note by the summary of gets(3c) , AVOID.  Unless I have read it that day, I *never* call a library function without reading the summary of the usage if I am doing serious work.

I do the same with the Linux man pages online. Don't let the name fool you; each page has a Conforming To section specifying which interfaces are C89/C99/C11, POSIX.1, BSD, or something else.  The Description and Bugs sections are particularly useful.

[rhb]

I was not aware of those online man pages.  Thanks.

BTW The paper was by Dijkstra,  not Wirth.  Not sure why I got it wrong.  Old age I guess.  Dijkstra was simply arguing for common sense.  If you've ever worked on a column 7 FORTRAN code that had a GO TO every 30 lines or so you'd understand.

The motivation for the thread was the lack of any consistency.  Debian 9.3 is  proving to be fairly tolerable.  But I am a SunOS guy at heart.  I'm OK with Solaris and that's what I use for most serious work.

The thread started after reading all manner of stuff which was specific to some particular version of some particular distro neither of which was stated.  The basic novice "Everyone's computer is just like mine." problem.

The Gnu tools were much better quality 30 years ago than they are now.  They were written by people who understood Unix well.  I feel fairly certain that very few of the current Gnu developers have read the seminal Unix papers from the 70's.

[mansaxel]

Systemd is plainly broken.  Bad idea badly done, and with a shitty attitude at that.

Binary logs.

Integrated tools that do what Lennart says you want, not what you want.

DNS client that defaults to spyware 8.8.8.8 (without telling you)

DNSSEC support that depends on insecure messages in home-built XML over dbus.

Said XML messages for DNS over dbus aren't RRtype transparent, so requiring update as soon as new RRtypes exist.

An userid that starts with a digit is treated as root (https://www.theregister.co.uk/2017/07/05/linux_systemd_grants_root_to_invalid_user_accounts/)

Completely flabbergasting attitude to security issues.

If it comes out of the designated orifice, if it stinks, if it grosses people out, if it is marginally usable only after decomposing, well, fæces it is.

[nvidia]

puppy linux is the best os for older laptops or desktop pc its so fast

[Nominal Animal]

The thread started after reading all manner of stuff which was specific to some particular version of some particular distro neither of which was stated.

Yup; sometimes you just need to poke a bit to get an interesting discussion going.

The Gnu tools were much better quality 30 years ago than they are now.

I don't really know, considering how different the typical use cases and hardware is today.  Some of them, like make, sed, awk, and m4, are only better; I don't recall encountering a bug in any of them.  GCC and glibc are really hard to compare, because they've changed so much. (Should we compare the number of bugs, or their density? Number of issues? Users affected? Likelihood for a single developer to run into an issue? I do not know, and don't want to rely on my memory or "gut feeling": I'm too often wrong when I do that.)  Just think about the amounts of data current computers shuffle around, on a near-constant basis. It is staggering, in terms of 30 years ago.

I feel fairly certain that very few of the current Gnu developers have read the seminal Unix papers from the 70's.

I'm certain they have not, because many devs now openly decry the Unix philosophy and KISS principle/software minimalism.

The kernel developers are slightly different.  Most of them haven't read any articles published before 2000, but at least there is some consistency and rules in place. (The kernel - userspace ABI is one thing that is considered sacred: extended yes, but only modified breaking backwards compatibility for really big reasons.  Some subsystems like ALSA and graphics drivers don't play ball, but they're basically results of decisions made almost two decades ago, with no known fixes.  Some stuff, like the /sys pseudofile hierarchy, actually makes sense, and fits the Unix approach pretty nicely.  As an example, you can read /sys/bus/usb/*/idProduct and /sys/bus/usb/*/idVendor to discover all USB-connected devices, or /sys/class/input/event*/device/name to find out which human interface devices are connected to the kernel input event subsystem.  You can even grab any one for yourself (or feed events back via uinput device), if you have the privileges.  The input event subsystem has a stable kernel character device interface for all HID devices, from keyboards to mice to touchpads and joystics.  Device privileges are easily managed via udev service, an old Unix-style daemon, which manages the creation and deletion of device nodes and symlinks as the devices are connected/disconnected/discovered. Unfortunately udev it is now subsumed into systemd, so it might go wonky soon.)

Then, there is systemd, gnome, gdm, and just about all graphical desktop applications, that.. well. We could do better. Or at least not throw hard-earned knowledge to the wind, and redo known mistakes.

[malagas_on_fire]

What about shell scripting? Do you feel some transition problems when working with full featured BASH / KSH and switch to busybox  aka ASH... yeahh try some for, arrays but again embedded is embedded.  It is a nice language to interact automate things in linux / unix systems when speed is not really required.

Code: [Select]


#!/bin/bash
i=0
while true; do
echo "Hello No: $i"
i=$(( i + 1))
sleep 1
done



Poll some gpios, adcs from sysfs when you have little commands, for instance OpenWrt... It's not so ugly ... unless it fits in one line ...

Code: [Select]

i=0; while true; do echo "Hello No: $i"; i=$(( i + 1)) ; sleep 1; done



[rhb]

Thirty years ago I was managing a MicroVAX II WorldBox with 5 MB of DRAM, a TK-50 and 288 MB of disk. The 11/780 on the first floor had 4 MB 0f DRAM, around 1 GB of disk, an FPS-120B, four 9 track drives  a Gould-DeAnza 32 bit  512 x 512 color terminal and a 30" Versatec plotter.  Terminals were all VT100s except for a Tek 4014 with a thermal printer.

These were used for seismic processing research.  I often had the MicroVAX running at 100% CPU utilization for weeks at a time without detectable impact on interactive users. I had 2 terminals besides the console.  The terminals switched between the 780 and the MicroVAX.  We only had a single user license for the MicroVAX, but you could login to the console and spawn a process on the terminal and then iconify it.  So we could actually have 3 users on it.

I use tcsh for the terminal and traditional Bourne shell for scripts combined with awk and all the traditional tools. 

25 years ago I had a Sparcstation 1+ with terminal windows logged into an IBM AIX, Intergraph CLIX and HP "snakes" series machine.  I also sometimes had windows open on DEC Ultrix and SGI IRIX systems.  My home directory was NFS mounted on all of these.  I used csh in those days and my .cshrc and .login files were quite elaborate.  I had a ${HOME}/bin for shell scripts and ${HOME}/${ARCH}/bin for compiled binaries and symlinks to handle systems which had both BSD and SysV tools..  I also maintained a /tool/bin tree which was setup so that /tool/${ARCH}/bin and friends were automounted there.  That was where I maintained all the Gnu tools for all the platforms.

Everything I did was portable across all 6 systems.  I had a 1+, 3/60 and 3/110 at home with a 1.8 GB disk and a very slick automounter and NIS arrangement at home.  I brought Linux on the PC I had bought to run Minix and Coherent.  Played with for a day or two, but I had professional class systems, so there was no reason to use it.

At the time I remarked that no one could beat Windows NT as a commercial venture, but Linux might just for the sheer craziness of it.  It pretty much has, but it's also become as complex and annoying as Windows.  The entire UI changes constantly.

A few years later I managed to multiboot Linux, Solaris and FreeBSD.  It took something like a dozen attempts to get them not to kill each other.  After that I never did multiboot again except for a laptop I set up about the same time period.

On my *real* work system today  I run Solaris 10 u8 and twm dual screen, one portrait and one landscape. My internet access system runs OpenIndiana Hipster and VirtualBox. Both of these run ZFS in a 3 disk RAIDZ1 configuration.  A 3rd system has SATA and PATA swappable drives. I recycle my old drives to test stuff or when I positively, absolutely *must* run some particular flavor of something.

If the effort that's gone into Linux had gone into Minix instead, we'd have a really good system.  But instead of something robust, we have what will eventually be just another flavor of Windows.

In 1995 the first public release of Plan 9 put the OS, a windowing system, an editor and basic utilities and network support on a single, bootable 1.44 MB floppy.

From my vantage point, we are going backwards, not forward. 

But it's not just computing.  It is society.  Kids today don't  know how to use a book.  They can't read and they can't write or spell. And in the US they are completely unwilling to work.  Which has been a major driver in illegal immigration.  The Mexicans can be scarily incompetent as the 4 who were killed in the DFW area when they blew up a $500K house with paint thinner fumes.  But you can't fault them for motivation to work.  I have had numerous people tell me they cannot find Americans willing to work, even at at double minimum wage.

It all makes me glad I'm old.  With a little luck I might die before things really get bad.

[Nominal Animal]

If the effort that's gone into Linux had gone into Minix instead, we'd have a really good system.

If people put the money they use for purely visual cosmetics (makeup) into space exploration, we'd have had a manned station on Mars for at least a decade already.  (I won't say makeup is harmful, though.  )

But it's not just computing.  It is society.

True. Each passing year, Idiocracy comes a step closer to reality.  Or maybe it is just that as we age, we shed our misconceptions and naive beliefs we had when we were younger, and see the world more clearly.

Yet.. Between 2002 and 2012, those living under the poverty line reduced from 26% to 13% globally.  Global poverty was halved in a single decade, and it is quite possible we can eliminate it in the next couple of decades.

I don't care much about adult humans, but think what internet and the reduction of objective poverty means to kids growing up. They will no longer held back due to a lack of resources, and actually have a chance at bootstrapping themselves.

[bd139]

Edit: this turned into a long rant the moment idiocracy was mentioned. Sorry.

I work with a lot of young developers and startups. Idiocracy is here already. Big time. I’m usually the guy who has to dig them out of the shit. I speak for perhaps 80% of the industry here. There is good stuff going on but most of the growth is complete and utter crap.

Basic development process is: jump on every new fad, sell everything out to the first cloud vendor to fart out some immature piece of crap, start code first on an idea without thinking it through, get milked by every data collector on the way, forget to do any legislative research first and run in “beg for forgiveness” mode, always forsake your customer, not look more than six months into the future. This leads to all the churn in the industry. From a customer’s perspective, they go to buy a product, find a magic vendor that does what they need and sign up after reading the paid up quotes and stories in trade magazines. After the line of paid training, migration and indoctrination takes place no one wants to admit they bought a steaming turd and that the project is failing because they bought a lie. What people end up with is a prison of lies they can’t escape from. This is mostly self inflicted and is a failure mode of CYA culture in companies.

On top of that a lot of software companies are MBA driven and the engineering side is seen as a cost centre rather than the core of the business. On the above model you can see why. Collecting customers like Pokemon and milking them is the objective not quality delivery or solving their problems. They like to outsource, to the lowest bidder.  Usually some awful crap shifter like a rather well known one in Hyderabad. They have massive staff turnover and half their qualified staff bought their degree through a bribery programme or from an impressive sounding but non existent university. Then when the right opportunity comes along the owners sell the stock off and disappear under layers of new management imposed by the investors.

I decided about ten years ago that I was going to help fix these people and help them build decent products. Then I realised that wasn’t their goal. So now I concentrate on extracting as much money from them as possible because the less they have the less they can hurt people. Every contractor I have spoken to frankly, usually down the pub after work, has said the same thing. Thus my mortgage is paid off.

The good times are over. Our future is sharecropping while carving the same wheels over and over again in different idea cults. All progress is gone. And that’s because people have traded professionalism for faddism and Ferengi death cults. 

As for poverty, I think they redefined the line. I take my kids to school with people on food bank handouts. One guy, a professional glazier, can’t get any work. He has been trying for three years. Turns out there is no market because labour is cheaper elsewhere. Now I have no problem with immigration for sure but the reason it works is that the immigrants and outsourcers get paid less. They shouldn’t. They should get the same pay and that puts the decision on hiring on ability not price.

Ugh it all sucks. 5 years of this shit left and I can retire (early) and write a book decrying the whole thing dilbert-style.

[BradC]

Yet.. Between 2002 and 2012, those living under the poverty line reduced from 26% to 13% globally.  Global poverty was halved in a single decade, and it is quite possible we can eliminate it in the next couple of decades.

It'll never happen as long as those people smart enough to be educated about contraception continue to listen to the message, while the others still can't figure out what is causing it continue to procreate unchecked. Don't breed 'em if you can't feed 'em, and that applies just as much in the 1st world as it does in the 3rd world.

As for Linux, we are lucky enough to be spoiled for choice and virtualization has made that even easier. Have an expensive piece of crapware that requires certain OS, architecture and versions? Chuck that specific setup in a VM and go at it. Same way I deal with expensive and specific software that requires windows. Heck, one piece of obsolete but essential crapware I use dies after 2013, and the company died long before that. Put it in a VM and make sure the VM start date is pre-2013. Sure, it's not for everybody but it works for *my* workflow and it means I can continue to use the stuff rather than haggling over OS versions or updates. It also means I can isolate it all from the network, so nothing phones home, I'm not subject to forced or unintentional updates, and everything just keeps working.

[bd139]

Virtualization is just another fad that hides the problem of poor architecture and isolation. Watch out for when you think it is solved, things get worse. First we had enterprise crap that was shipped as VM images. That wasn't terrible. Then we realised we could archive old desktop apps. Which was a good thing.

But now it has gone to hell and we have some unholy pile of shite that turns up on your doorstep as a whole bunch of docker and kubernetes/swarm poo.

Typical example, I will quote here is a very popular piece of security/compliance software. Basically you run it on your build output and it does some analysis and tells you what CVEs and licenses you are using to cover risk. Sounds pretty cool yeah? It is. Or would be if it wasn't a total ball ache. The client is a bit of Java that does some text parsing and farts it up to a central instance you host yourself which does the reporting. Literally not rocket science. Turns out you need to spend on hardware for that, it calls home every 2 minutes and the sales wankers call you to help with your deployment every five minutes and they know what the package is doing on the client. Nasty fuckers.

When I say spend on hardware, min spec is 5 cores, 20GB RAM, 250Gb SSD backed disk on the server which also needs deployment via docker/kubernetes and all sorts of crap that you cannot physically automate other than with TCL's expect because it's a 1990s style QA interactive script that deploys it all. And the clients seem to need about 2GB extra RAM and 2 more CPUs just to run the scanning software post-build. For that, it runs like ass. Good luck keeping that alive and that's the way it's going.

Either that or you pay them to take all this hassle away and pay rent. Unfortunately due to "devops culture" (another shitty fad) it turns out the software guys, who don't know a VLAN from a WLAN or a server from a waiter are now running the infrastructure too.  . If they do know what they're doing they worked out it is really expensive to run shit like this on a large scale so force it onto AWS with the lowest instance cost they can muster which makes it run even more shitty than if you self host it (Atlassian are good at this with JIRA Cloud)

It's all shit and we're boiling in it.

Edit: out of pure cruel irony I am now going to go and build myself some Windows 10 virtual machines 

[BradC]

Virtualization is just another fad that hides the problem of poor architecture and isolation. Watch out for when you think it is solved, things get worse. First we had enterprise crap that was shipped as VM images. That wasn't terrible. Then we realised we could archive old desktop apps. Which was a good thing.

But now it has gone to hell and we have some unholy pile of shite that turns up on your doorstep as a whole bunch of docker and kubernetes/swarm poo.

I was talking about the one in the middle (archiving old apps and keeping yourself insulated from OS/system upgrades and the inevitable incompatibility). The latter has absolutely zero to do with virtualisation and is entirely the fault of shit software developed by shit developers using a shit architecture. Nothing remotely the fault of virtualization there. Unfortunately if you have to work with that crap,I feel for you, but you could always find something else to do.

[bd139]

This is still an issue with virtualization because the existence of virtualization made it acceptable for this to continue. If you look at Windows for example as an exemplary backwards compatibility platform, it will quite happily run today, broken shit that targeted windows NT4 in 1998, 22 years ago. That's about the only positive thing I can say about Windows.

The issue is that once this became available to the average developer (thanks VMware!) and not in the concept of mainframe style virtualization or solaris containers / freebsd jails etc, it was seen as an escape route to not building compatibility options into your software any more. Now it is seen as the primary way to avoid that coupling. So instead of making your software compatible with the target environments, you ship your software on top of the virtualized crap with security holes in it so it can sit there and rot while you profit and not go snap every time someone runs some updates in.

The vendor I mentioned earlier is a prime example shipping out of date OS libraries, JVM, tomcat etc which are chock full of vulnerabilities. This is entirely enabled by virtualization. And also entirely ironic considering it was a security product ffs  .. did they run their own tool on their own development stack? Definitely not!

Outside of the desktop, this is the status quo now I hate to say. I wish more people got to deal with the stuff hiding behind happy faces and clouds.