The Bikeshed

Sort By:

The Expense of Unprotected Free Software:
It's high time FOSS maintainers got a bit of appreciation

Until the big guns manage to sort things out, we're just going to need to take care of things however we can. The best we can hope for, of course, is to convince companies, institutions, and governments that it would be a really good idea to cut monthly checks for those people who maintain the software that these organizations absolutely depend upon.

by Poul-Henning Kamp | July 1, 2024

Topic: Open Source


Free and Open Source Software - and Other Market Failures:
Open source is not a goal as much as a means to an end.

Open source was not so much the goal itself as a means to an end, which is freedom: freedom to fix broken things, freedom from people who thought they could clutch the source code tightly and wield our ignorance of it as a weapon to force us all to pay for and run Windows Vista. But the FOSS movement has won what it wanted, and no matter how much oldsters dream about their glorious days as young revolutionaries, it is not coming back, because the frustrations and anger of IT in 2024 are entirely different from those of 1991.

by Poul-Henning Kamp | March 11, 2024

Topic: Open Source


Don't "Think of the Internet!":
No human right is absolute.

I cannot help but notice few women subscribe to absolutist views of electronic privacy and anonymity. Can it be that only people who play life on the easiest setting find unrestricted privacy and anonymity a great idea?

by Poul-Henning Kamp | July 10, 2023

Topic: Privacy and Rights


CSRB's Opus One:
Comments on the Cyber Safety Review Board Log4j Event Report

We in FOSS need to become much better at documenting design decisions in a way and a place where the right people will find it, read it, and understand it, before they do something ill-advised or downright stupid with our code.

by Poul-Henning Kamp | September 13, 2022

Topic: Privacy and Rights


Linear Address Spaces:
Unsafe at any speed

The linear address space as a concept is unsafe at any speed, and it badly needs mandatory CHERI seat belts. But even better would be to get rid of linear address spaces entirely and go back to the future, as successfully implemented in the Rational R1000 computer 30-plus years ago.

by Poul-Henning Kamp | June 8, 2022

Topic: Development


Surveillance Too Cheap to Meter:
Stopping Big Brother would require an expensive overhaul of the entire system.

IT nerds tend to find technological solutions for all sorts of problems?economic, political, sociological, and so on. Most of the time, these solutions don't make the problems that much worse, but when a problem is of a purely economic nature, only solutions that affect the economics of the situation can possibly work. Neither cryptography nor smart programming will be able to move the needle even a little bit when the fundamental problem is that surveillance is too cheap to meter.

by Poul-Henning Kamp | February 9, 2022

Topic: Privacy and Rights


The Software Industry IS STILL the Problem:
The time is (also) way overdue for IT professional liability

The time is way overdue for IT engineers to be subject to professional liability, like almost every other engineering profession. Before you tell me that is impossible, please study how the very same thing happened with electricity, planes, cranes, trains, ships, automobiles, lifts, food processing, buildings, and, for that matter, driving a car.

by Poul-Henning Kamp | September 29, 2021

Topic: Business/Management


What Went Wrong?:
Why we need an IT accident investigation board

Governments should create IT accident investigation boards for the exact same reasons they have done so for ships, railroads, planes, and in many cases, automobiles. Denmark got its Railroad Accident Investigation Board because too many people were maimed and killed by steam trains. The UK's Air Accidents Investigation Branch was created for pretty much the same reasons, but, specifically, because when the airlines investigated themselves, nobody was any the wiser. Does that sound slightly familiar in any way?

by Poul-Henning Kamp | July 13, 2021

Topic: Compliance


More Encryption Means Less Privacy:
Retaining electronic privacy requires more political engagement.

When Edward Snowden made it known to the world that pretty much all traffic on the Internet was collected and searched by the NSA, GCHQ (the UK Government Communications Headquarters) and various other countries’ secret services as well, the IT and networking communities were furious and felt betrayed.

by Poul-Henning Kamp | March 17, 2016

Topic: Privacy and Rights


HTTP/2.0 - The IETF is Phoning It In:
Bad protocol, bad politics

In the long run, the most memorable event of 1989 will probably be that Tim Berners-Lee hacked up the HTTP protocol and named the result the "World Wide Web." Tim’s HTTP protocol ran on 10Mbit/s, Ethernet, and coax cables, and his computer was a NeXT Cube with a 25-MHz clock frequency. Twenty-six years later, my laptop CPU is a hundred times faster and has a thousand times as much RAM as Tim’s machine had, but the HTTP protocol is still the same.

by Poul-Henning Kamp | January 6, 2015

Topic: Web Services


Quality Software Costs Money - Heartbleed Was Free:
How to generate funding for FOSS

The world runs on free and open-source software, FOSS for short, and to some degree it has predictably infiltrated just about any software-based product anywhere in the world.

by Poul-Henning Kamp | June 19, 2014

Topic: Security


Please Put OpenSSL Out of Its Misery:
OpenSSL must die, for it will never get any better.

The OpenSSL software package is around 300,000 lines of code, which means there are probably around 299 bugs still there, now that the Heartbleed bug which allowed pretty much anybody to retrieve internal state to which they should normally not have access has been fixed.

by Poul-Henning Kamp | April 12, 2014

Topic: Security


Center Wheel for Success:
Not invented here syndrome is not unique to the IT world.

When I first read the claim that, the Web site initiated by the Affordable Care Act, had cost $500 million to create, I didn’t believe the number. There is no way to make a Web site cost that much. But the actual number seems not to be an order-of-magnitude lower, and as I understand the reports, the Web site doesn’t have much to show for the high cost in term of performance, features, or quality in general.

by Poul-Henning Kamp | December 20, 2013

Topic: Web Services


More Encryption Is Not the Solution:
Cryptography as privacy works only if both ends work at it in good faith.

The recent exposure of the dragnet-style surveillance of Internet traffic has provoked a number of responses that are variations of the general formula, "More encryption is the solution." This is not the case. In fact, more encryption will probably only make the privacy crisis worse than it already is.

by Poul-Henning Kamp | July 30, 2013

Topic: Privacy and Rights


A Generation Lost in the Bazaar:
Quality happens only when someone is responsible for it.

Thirteen years ago, Eric Raymond’s book "The Cathedral and the Bazaar" (O’Reilly Media, 2001) redefined our vocabulary and all but promised an end to the waterfall model and big software companies, thanks to the new grass-roots open source software development movement. I found the book thought provoking, but it did not convince me. On the other hand, being deeply involved in open source, I couldn’t help but think that it would be nice if he was right.

by Poul-Henning Kamp | August 15, 2012

Topic: Development


LinkedIn Password Leak: Salt Their Hide:
If it does not take a full second to calculate the password hash, it is too weak.

6.5 million unsalted SHA1 hashed LinkedIn passwords have appeared in the criminal underground. There are two words in that sentence that should cause LinkedIn no end of concern: "unsalted" and "SHA1."

by Poul-Henning Kamp | June 7, 2012

Topic: Security


My Compiler Does Not Understand Me:
Until our programming languages catch up, code will be full of horrors.

Only lately have a lot of smart people found audiences for making sound points about what and how we code. Various colleagues have been beating drums and heads together for ages trying to make certain that wise insights about programming stick to neurons. Articles on coding style in this and other publications have provided further examples of such advocacy.

by Poul-Henning Kamp | May 21, 2012

Topic: Code


The Hyperdimensional Tar Pit:
Make a guess, double the number, and then move to the next larger unit of time.

When I started in computing more than a quarter of a century ago, a kind elder colleague gave me a rule of thumb for estimating when I would have finished a task properly: make a guess, double the number, and then move to the next larger unit of time. This rule scales tasks in a very interesting way: a one-minute task explodes by a factor of 120 to take two hours. A one-hour job explodes by "only" a factor 48 to take two days, while a one-day job grows by a factor of 14 to take two weeks.

by Poul-Henning Kamp | January 23, 2012

Topic: Code


The Software Industry IS the Problem:
The time has come for software liability laws.

One score and seven years ago, Ken Thompson brought forth a new problem, conceived by thinking, and dedicated to the proposition that those who trusted computers were in deep trouble. I am, of course, talking about Thompson’s Turing Award lecture, "Reflections on Trusting Trust." Unless you remember this piece by heart, you might want to take a moment to read it if at all possible.

by Poul-Henning Kamp | September 8, 2011

Topic: Privacy and Rights


The Most Expensive One-byte Mistake:
Did Ken, Dennis, and Brian choose wrong with NUL-terminated text strings?

IT both drives and implements the modern Western-style economy. Thus, we regularly see headlines about staggeringly large amounts of money connected with IT mistakes. Which IT or CS decision has resulted in the most expensive mistake?

by Poul-Henning Kamp | July 25, 2011

Topic: Development


The One-second War (What Time Will You Die?):
As more and more systems care about time at the second and sub-second level, finding a lasting solution to the leap seconds problem is becoming increasingly urgent.

Thanks to a secretive conspiracy working mostly below the public radar, your time of death may be a minute later than presently expected. But don’t expect to live any longer, unless you happen to be responsible for time synchronization in a large network of computers, in which case this coup will lower your stress level a bit every other year or so. We’re talking about the abolishment of leap seconds, a crude hack added 40 years ago, to paper over the fact that planets make lousy clocks compared with quantum mechanical phenomena.

by Poul-Henning Kamp | April 6, 2011

Topic: Development


B.Y.O.C. (1,342 Times and Counting):
Why can’t we all use standard libraries for commonly needed algorithms?

Although seldom articulated clearly, or even at all, one of the bedrock ideas of good software engineering is reuse of code libraries holding easily accessible implementations of common algorithms and facilities. The reason for this reticence is probably because there is no way to state it succinctly, without sounding like a cheap parody of Occam’s razor: It is pointless to do with several where few will suffice.

by Poul-Henning Kamp | February 17, 2011

Topic: Development


Sir, Please Step Away from the ASR-33!:
To move forward with programming languages we need to break free from the tyranny of ASCII.

One of the naughty details of my Varnish software is that the configuration is written in a domain-specific language that is converted into C source code, compiled into a shared library, and executed at hardware speed. That obviously makes me a programming language syntax designer, and just as obviously I have started to think more about how we express ourselves in these syntaxes.

by Poul-Henning Kamp | October 25, 2010

Topic: Programming Languages


You’re Doing It Wrong:
Think you’ve mastered the art of server performance? Think again.

Would you believe me if I claimed that an algorithm that has been on the books as "optimal" for 46 years, which has been analyzed in excruciating detail by geniuses like Knuth and taught in all computer science courses in the world, can be optimized to run 10 times faster? A couple of years ago, I fell into some interesting company and became the author of an open source HTTP accelerator called Varnish, basically an HTTP cache to put in front of slow Web servers.

by Poul-Henning Kamp | June 11, 2010

Topic: Performance