Unless I'm misunderstanding something, this is silly FUD. Microsoft isnt stupid enough (or evil enough, despite what some like to believe) to attempt to force PC oems to effectively block all OSes except Windows. They know this wouldn't work, and there'd be no point in trying to force it.
Supporting hardened boot is not the same as requiring it. Microsoft already utilizes this for BitLocker. You can still install Linux on a machine that supports hardened booting and signed images. You just can't enable hardened boot unless you use signed images.
> Microsoft isnt stupid enough (or evil enough, despite what some like to believe) to attempt to force PC oems to effectively block all OSes except Windows.
There's a rather large difference between contractually forbidding PC OEMs from selling Windows machines bundled with BeOS and technologically blocking non-Windows OSes from executing. It's one thing to say "you can't bundle another OS with mine". It's another thing entirely to say "your hardware can never run any OS except mine".
They both result from signing an agreement between said parties, and basically provide the same benefits to both parties (given that most people won't install an operating system themselves).
Except one leaves a choice to the end user, and the other doesn't.
+1, hardened boot is something we will address eventually with MBR and BIOS viruses on the rise again. Makes sense for MS to push In this direction and Intel/AMD aren't going to lock down that hardware to anything else.
Your $200 Dell from Best Buy might, but that will be part of the subsidy from MS. Meh.
Presumably you have to sign a pkek key with the firmware key. Even then, you don't actually have full control of your OS's kernel, so it may not be easy to insert a key.
"After years of trying to cut off Linux growth as a desktop platform on x86 and x64 PCs, Microsoft may have actually figured out a way to stop Linux deployments on client PCs dead in their tracks."
I'm quite certain Microsoft has (A) not put any significant effort into cutting off growth as a desktop platform, and (B) If they had, they were almost completely successful, and characterizing it as "trying" implies that they had limited success.
Shhh, not so loud! Such thoughts would destabilize Slashdot if they got out!
Seriously, this seems especially short-sighted, as the perception is that MS is getting thrashed by Apple in the consumer market. I think its more about preventing malware from getting ahold of the boot process, side effects be damned.
As much as I don't like Apple/OS X, most of my friends do. Everyone got Mac _because_ of OS X.
One got it because of low latency, and because he was "sure it won't hang up for a moment because of some background job". He uses it to make music.
Others got it for its (OS X's) usability.
That's a chilling thing IMHO when we rely on a single corporation to protect us. As far as the /. like rhetoric, you're using the parent's opinion that MS hasn't been trying, and is indeed seeing a steady increasing competition in desktop screen space (which I've seen in two different Fortune 500 companies first hand within the last 6 years), so if that isn't true, then the rhetoric isn't just rhetoric.
I doubt any major vendor will do this. First off, they don't want to be locked into selling Microsoft-only machines. If they can't pretend Linux is an option, Microsoft can charge them $1000 for a Windows license and there's nothing they can do about it. If they have Linux hanging over Microsoft's head, though, they'll get better pricing on Windows. (Think this won't happen? It already did with XP on netbooks. When Microsoft realized that everyone was happy to get $100 off the price of their laptop to run Firefox under Linux instead of under Windows, they had no choice but to make it nearly free.)
If that doesn't work, the need for booting non-standard Windows images will save us. I've never worked for any company that ran a stock Windows install -- everyone rolls their own. If new machines won't boot this image, guess what, that new machine is bought from some vendor that doesn't do this to them. And the only reason most people use Windows at home is because they use Windows at work. If big companies started migrating away from Windows, Microsoft could be in serious trouble. (Yup, Microsoft Word is much nicer than LibreOffice Writer or AbiWord. But you don't know that if you've never used it. Or, you don't care, because you're writing a memo, not a book. And that's $600 Microsoft loses right there.)
Next, we're forgetting the all-important server market. Nobody uses Windows as a server OS, so all those servers are going to have to be able to run Grub. Since servers are what make the OEMs money (they actually need that quad core chip, you don't), keeping users of that market happy will be the hardware companies' biggest concern. If Intel chips stop booting Linux, guess what, AMD is the new king of the market.
Finally, many of these companies are in markets other than consumer computers, and they won't want to alienate their other partners. If, say, Samsung says "our hardware will only run Windows", then they won't be manufacturing Android phones or Chromebooks anymore. And that's a big deal, because they won't be manufacturing iPhones either, and that means they're out of the mobile market. (Have you ever seen anyone without MVP certification anywhere near a Windows Phone? I didn't think so.)
Basically, Windows is important, but not so important that anyone would want to be the first to go Windows-only in hardware. Hardware companies want to provide nice computers at a nice price. End users mostly want to browse the web. This puts Microsoft in a position to do exactly what the market wants, not what it thinks it can bear. When you're at the top, the only place to go is down. And that is where Microsoft is going.
> If that doesn't work, the need for booting non-standard Windows images will save us. I've never worked for any company that ran a stock Windows install -- everyone rolls their own. If new machines won't boot this image, guess what, that new machine is bought from some vendor that doesn't do this to them.
That's not how this works. It doesn't expect that the entire OS install is signed. It expects that the kernel is signed. "Non-standard" Windows installs don't generally futz with the Kernel. If you work for a company that uses a hacked kernel internally, please let me know, so I can make sure I'm not invested.
> Nobody uses Windows as a server OS
Microsoft's server product(along with its related tools and products) is massively successful. The Internet darlings may not run Windows Server, but many, many companies do.
> If, say, Samsung says "our hardware will only run Windows", then they won't be manufacturing Android phones or Chromebooks anymore.
Why would anyone do that? Even if Samsung sold some hardware that was locked down to only Windows, why would they suddenly stop selling other hardware? There's just no point. They already sell devices that are effectively locked down to Android, but that doesn't preclude them continuing to sell Windows laptops.
> Microsoft's server product(along with its related tools and products) is massively successful. The Internet darlings may not run Windows Server, but many, many companies do.
Yes, and Linux as a server is massively successful. And the internet darlings are one of the biggest customers. If a machine can't boot linux because of the signed kernel requirements enforced at the firmware, those internet darlings would move to machines that can. That isn't a risk intel el al. are going to take, especially with AMD breathing down its back.
Implementing secure boot is a risk that Intel et al are going to take. They've already taken a similar risk to support BitLocker with TPM hardware. None of this will stop Internet darlings from running Linux if they want, though.
Where do you see the requirement that the kernel has to be signed? I only see them mentioning the boot loader, which should be something entirely different (both on Windows and Linux, as far as I'm aware. I admit that my knowledge about the Windows boot process is incomplete).
If I'm correct (?) your whole reply to that point was a bit over the top, especially the 'tell me where you work so that I can ignore you' part.
Edit: Reading the original source (I recommend it!) confuses me. It says 'unsigned binaries will not load', but still: I'm still reading that as 'will not be loaded by the UEFI firmware' - which should only need to load the bootloader (+ relevant drivers) as far as I understand it?
I think the idea behind the signed bootloader is that the kernel that the bootloader loads will then be trusted as well. In this way the chain of trust moves up the boot stack and the risk of an early-boot / kernel rootkit can be minimized, especially if the kernel also tries to verify the authenticity of all modules it loads into kernel space (which Windows already does and has for quite some time - please note that I specified "tries").
I don't think this will affect corporate Windows installations as you'd presumably be installing a signed kernel and signed drivers - as the post above yours states, it's very rare to use a non-Microsoft-supplied kernel and unsigned drivers in the corporate environment today.
Signing a Linux bootloader could be perceived as a potential breach of this trusted boot process, as Windows could then potentially be loading in an emulated environment created by a malicious GRUB module or the like. Chances are, nobody subscribing to Trusted Boot will ruin their marketability by either a) not providing a way to disable the trust verification or b) not signing a Linux bootloader. However, that possibility is what has the rash of speculative "Linux won't run anymore!!!" articles running around the internet this week.
More solid info on the trusted boot process can be derived from:
You're probably correct. I was just saying that there's no need for the entire Windows installation to be signed, as jrockway implied. Such a requirement would be nearly impossible (and would require scanning the entire OS at startup to verify the signature).
Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed.
No PC OEM has a rational fear of MS doing bad by them, regardless of lock-in. Firstly, MS has no good reason to do that since it would just put the retail price of the PCs too high to sell well, and MS is a volume business and knows it. They're smart enough to know to avoid hurting their own sales. They already know who and how to charge ridiculously high prices per client for software and its not OEMs or retail consumers. Secondly, the OEMs so affected would likely run to the FTC immediately and file complaints of unfair trade practices, and then MS would find itself in a fecal-tornado of bad press and government action that it would surely not enjoy. Thirdly, OEM licenses can only go so high, as then OEMs could just buy and install retail copies of Windows on their machines. In short, this whole fantastical scenario goes against everything that MS has done as a business and everything that MS has done as part of creating and maintaining relationships with OEMs over the past 3 decades, it makes no sense.
As far as the server market, those machines are almost invariably different hardware than commodity PCs. I don't think it's likely that PC component makers or OEMs will opt for Windows-only systems, but I don't think you've put forward a sufficient argument on why that should be the case.
> No PC OEM has a rational fear of MS doing bad by them, regardless of lock-in. Firstly, MS has no good reason to do that since it would just put the retail price of the PCs too high to sell well, and MS is a volume business and knows it.
Microsoft already prices it differently for different OEMs. They are already in mortal fear than Microsoft will change it, even without the technology to enforce it.
Can't find a link now, but in one of the big computer trade shows, in the morning Asus said they'll be promoting linux on the recent 9" eee. Afternoon, they apologized and said they will only promote Windows, and will in fact redesign it to better fit windows. The difference was apparently made by a call from Microsoft that threatened their volume licensing deal.
> MS would find itself in a fecal-tornado of bad press and government action that it would surely not enjoy.
The government works for Microsoft. MS had some fear of antitrust back in the late 90s, but they've since become one of the largest lobbyists, buying politicians on both sides. They are not touchable by antitrust or any other government action in the foreseeable future.
Here in India, Microsoft is famous only because the pirated version is freely available from anywhere, thorough anyone at anytime.That's the only reason why everybody uses it all the time.
Take away the free option, and the non industry consumers will just dump their OS. What is stopping Linux from ruling the Desktop market is a awesome UI.
Now, I decide to buy a netbook for browsing and light development. I can save upto 1500 rupees on the OS if I go in for a pre loaded freeDOS version. So this is what I have decided, to buy a good HP netbook which comes close to 15000 rupees. Install Ubuntu LTS version on it. Remain hassle free for the next two years. And spend the saved 1500 rupees on buying a good headphone to listen to music.
I don't see any reason why I must remotely feel the need to use Windows anymore. Unless ofcourse I need to work on a word document. Most of the times OpenOffice is sufficient, if it isn't I just walk upto the next DTP store around my place, pay the guy 20 bucks and get the work done in an hour.
Which is why my employer really doesn't use Outlook/Exchange for email, or Sharepoint for the intranet, or IIS for the public website, or ActiveDirectory to manage logins and whatever else it does, or ....
Maybe you mean, "nobody uses only Windows as a server OS"? But even tho that would work for my employer (we also have Linux and AIX) and probably all large companies (including Microsoft?), I'm sure there are a ton of smaller ones it doesn't apply to.
> Which is why my employer really doesn't use Outlook/Exchange for email, or Sharepoint for the intranet, or IIS for the public website, or ActiveDirectory to manage logins and whatever else it does, or ....
If you really have to live with all that stuff, I'm deeply sorry for you. I use Exchange and AD and it's bad enough.
Oh come on, seriously? I'm not saying it's the best thing ever, but it works well enough for the majority of small businesses. There is nobody who is really inconvenienced by having to use AD (it's not like most people would even notice). At least it provides a default and standard authentication system, unlike the hacks I've seen where people use rsync to distribute /etc/passwd and /etc/shadow to all machines (and don't get me started on that piece of junk OpenLDAP, I have yet to meet the first person who could build a complete and working centralized auth environment with it.)
I doubt any major vendor will do this. First off, they don't want to be locked into selling Microsoft-only machines. If they can't pretend Linux is an option, Microsoft can charge them $1000 for a Windows license and there's nothing they can do about it.
I doubt that secure boot is a factor in this, since it would be easy for vendors to disable by default in the factory if they wanted to install Linux.
The point of the article isn't that the machines will be Windows-only, but that dual booting may no longer be possible. It makes a point of emphasizing that secure booting will likely be easy for the user to disable, although that will disable Windows 8 as well.
> The point of the article isn't that the machines will be Windows-only, but that dual booting may no longer be possible. It makes a point of emphasizing that secure booting will likely be easy for the user to disable, although that will disable Windows 8 as well.
Never going to happen. Win8 will install on machines built for Win7.
Win 8 is not going to refuse to boot on machines that have boot signing disabled.
That's not what we're talking about. We're talking about the Windows 8 Logo Program, which is basically that sticker on a new PC that says it is certified to run Windows 8.
I think we're actually talking about some paranoid hype written about a blog post written about a slide deck.
Maybe Microsoft will require OEMs to support secure boot to be certified for Win8 (fine by me). That doesn't mean that the user won't be able to disable it if they want, and it definitely doesn't mean Win8 won't run when it's turned off.
Right, but Windows 8 should still happily boot on a Windows 8 Logo'd PC which has had signed boot disabled by the user for the same reason that it happily boots on non-Logo'd PCs.
Ha! That's the first thing I always do with a new computer: remove all those stickers. Some Vista stickers are extremely hard to remove. That being said, my Air came with absolutely no stickers on it.
> Yup, Microsoft Word is much nicer than LibreOffice Writer or AbiWord. But you don't know that if you've never used it. Or, you don't care, because you're writing a memo, not a book. And that's $600 Microsoft loses right there.
The very last thing for which I'd consider using MS Word (or any WYSIWYG processor, for that matter) would be writing a book (or any prolonged text which concentrates on the content). Seriously, if you do this you've never even thought about the fact that there are alternatives which are vastly superior for such tasks (one of which being plaintext. Yes, plaintext). I don't get why you would even consider writing a book in a document processor - save for LyX, but that's not exactly a standard word processor.
Sorry for the rant, I mostly agree with you. The general development still scares me though.
Estimates of between 40-75% of all servers are Windows based. While Linux is ahead in Web servers (71% market share), they aren't the only type of server going around...
These stats are hard to measure as they can't really account for people who just install free linux distros, but in terms of sold Linux based licenses, Microsoft is ahead. At the very least it shows the that the assertion "no one uses Windows as a server OS" is far from the truth. 5-6 billion dollars revenue a quarter is hardly 'no one'.
they don't want to be locked into selling Microsoft-only machines.
True to some extent, but they can always create Linux models that just don't include the MS public key.
the need for booting non-standard Windows images will save us.
Customized Windows images should have the same signature since the signed components (kernel, drivers, etc.) will be the same.
the all-important server market
This either doesn't apply to servers or the vendors will just create Linux models.
If Intel chips stop booting Linux
To be clear, that is not what we're talking about. This is an optional firmware feature (and I assume it will apply to all logoed PCs regardless of processor type).
I've actually never heard that, I've heard more like "no one will support it" until RedHat came around, then it was "no one knows how to use it" until I saw IBM use it, then I heard "but there's no software" until I saw Oracle make software for it. That was just in Non-IT businesses. In IT-industry businesses, I never heard Windows discussed too seriously outside of "well, we had to unfortunately because of a client..."
Why should I learn a new toolchain when I already have one that's just as good but has been around for 30+ years? It's fun to reinvent the wheel, but as a user, sometimes enough is enough. Just give me bash and the coreutils, kthx.
You're completely killing innovation this way. Your bash and coreutils work on Windows, they're just not as useful in that environment. Would you also expect to have bash and coreutils on Lisp Machine?
Also if you don't know this anything about new toolchain, how can you say that your old one is "just as good"?
Caveat: I have been heavy Linux user for past 7 years, but I'm not so quick to dismiss alien technology, especially when it addresses obvious flaws in Unix -- e.g. piping plain text with parsing and printing it again on all stages seems so ancient, I would much rather like to be able to use structured data instead. Also, you could remove the overhead of process initialization if your command line tools are just functions, and not executables. Just sayin'.
PS is just a piece of the puzzle. In fact, if I were to automate things on Windows, I would pick perl/python/ruby(on linux, I use shell scripts only for jobs which are less than 50 lines).
The major question is does the objects which are to be automated lend themselves to automation?
Here is one of the results I found while looking for 'sql server automate'
nix DBA’s used shell scripts as their primary management tool, but the SQL Server of that day was not scriptable. Would those DBA’s accept the use of GUI tools?
So it looks like it used to be the case that it wasn't scriptable, but it is now.
You can script and automate IIS and MSSQL using powershell. I'm willing to bet dollars against pesos that if MS hasn't made everything in Windows scriptable via Powershell, they are currently working towards it.
I make it short:
1. Of course
2. You write a script. Or simply use something out of the Systems Management Product Family (awesome btw)
3. WMI or Powershell should do the job.
You rarely write custom code when scripting....most use cases a covered by a huge library MS offers. The rest is available through google :)
We have run large Windows Server Farms at my past company (SaaS Business) and maybe 3-4 Linux Servers...the ones causing the most trouble where the Linux ones. One reason: Every dummy can administrate a Windows machine....not so a Linux machine! That fact forced the Ops team to get rid of the Linux machines as quick as the could.
Every dummy can administrate a Windows machine....not so a Linux machine! That fact forced the Ops team to get rid of the Linux machines as quick as the could.
So you choose a inferior mediocre alternative just because you can hire mediocre folks to handle it(you mentioned 'dummy'). Ultimately having sufficient technical debt to make your miserable for the next decade.
Linux command line isn't very upfront friendly for sure, but its strength lies in automating as much as you can, programatically. When you talk of administration things go beyond cleaning up files and giving access to users. You must have abilities/tools to quickly hack up solutions to programming problems while problems in operations. That's why bash/sed/awk/perl and other Unix text processing utilities are so big on the server side. Unix forms a complete programming ecosystem in itself apart from being an OS.Windows command line is not just weak but literally useless in this area.
Its like saying just because anybody can use notepad, Emacs is useless.
Unfortunately, this is how business works. If they can hire an operations team full of Windows lusers and pay them $30K a year instead of Linux admins that cost $60K a year, they usually do that.
The thought never crosses their mind that you get what you pay for, and 1 qualified Linux admin can replace an entire team of Windows admins due to automation, scripting, and superior manageability of Linux.
Look at it this way: you should never trust a single guy to manage your entine system. You need to have backup in case of the flu, accidents, anything.
1. Windows was never originally designed to work as a Server side operating system at the first place. They started to drive it on the server side when they first discovered the Internet had a huge commercial potential to sell machines on the backend. There fore all means of getting things done on a windows machine for a developer have to go somehow through a set GUI's to get work done programatically. This sucks from a programmers perspective, programming is all about level of customizability.
2. Command line on windows sucks, apart from just removing, adding files/directories and running commands anything else is just a pain. The UNIX command line is a complete interpreter in itself(bash).
3. The UNIX operating system is more than an OS, its a complete programming ecosystem in itself. The whole concept of everything being a file or a process is just so elegant. You can endlessly leverage native tools like sed/bash/awk/cut/tr/perl and other text processing utilities to solve any problem with a combination of text files and processes. Which is not easily possible with windows, heck using those tools on windows is big pain. They are often ported with limitations.
4. Debugging, is a breeze. Checking logs is a breeze. Text processing utilities and endlessly configurable tools make it very easy for system administration with the help of pipes. This is very crucial for system administrators. They often want to do stuff without the help of programmers to get quick solutions when they get paged at 2 in the night.
5. Many other development features like Inter process communication with tools like DBus. Sockets et al are vastly superior in UNIX than windows.
6. Many programming languages were developed(Perl/Ruby/C) with entire context of UNIX in mind. Therefore they natively work very well with UNIX.
7. Vast resources of knowledge of troubleshooting and maintenance available for UNIX. Which makes things newbies easier to deal with it.
8. Unix is open source, its freely available. And will be there for a long time. People who supply it do it on passion and pure volunteer effort and will do it for fun and because they like. Windows can be killed by anytime for profit.
9. Vendor lock in problems. I don't understand why I should use all MS specific software all over. I can't scale horizontally due to cost issues. Also apart from .NET developing for any other technology sucks on windows.
10. Lack of multiuser login, Servers need many people to login and work at the same time. For testing and for development reasons.Servers are just so much more than deployment only boxes.
11. GUI overhead, Why should I spend my computing resources on OS and GUI when I should I actually be spending them on my applications?
12. Registry is a pain on Windows, I don't have to worry about those hassles on UNIX.
Not to defend Windows here, because it certainly has its flaws, but you're so deluded it's not even funny any more. You seem to like 'openness' so much, but the concept of 'open mind' seems to be completely lost on you.
"There fore all means of getting things done on a windows machine for a developer have to go somehow through a set GUI's to get work done programatically."
This alone is enough to discard anything you say about this topic. You obviously have no idea what you're talking about. Everything in Windows is programmable, through a standard object model, and the facilities to put them into any program are standardized, too.
"Which is not easily possible with windows, heck using those tools on windows is big pain."
Windows != Unix. If you are a bricklayer and you get into gardening, would you complain that your concrete mixer doesn't work well for shoveling a garden? Unix tools on Windows is a crutch for people who refuse to adjust to the environment they're in (or as a band aid for a quick and dirty port of Unix functionality).
"tools like DBus. Sockets et al are vastly superior in UNIX than windows."
Windows != Unix. The concurrent tasks model in Windows is based on threads, not process spawning. Don't take your Unix prejudices to Windows when you write software for Windows. Are you seriously suggesting there are no working ipc mechanisms in Windows? There are vast amounts of functionality to do so, and on a much deeper level than just 'pipe text from one process to the next' (i.e., a proper object model that can be used to share code written in several languages and with which you can pass objects and not just text).
"Lack of multiuser login,"
WTF are you talking about? Have you ever seen a Windows box since Windows 95?
"Registry is a pain on Windows, I don't have to worry about those hassles on UNIX."
What? Are you saying you prefer 25 different file formats, spread out in non-standard ways, without a standardized layout? Or are you saying that editing Apache config files with sed and awk is a good idea? If so, you're clearly off your rockers. Of course you can hack together something that 'mostly works', but at least with the registry you have a standard format, standardized and cross-language APIs and a (more or less) standard organization of data.
Now I'm not defending the implementation of the registry; it has outlived its design. But being against the idea is lunacy - why do you think the Gnome guys realized in the early 2000's that they needed something similar?
Here's the thing about the registry: with a bunch of config files in /etc, I already have many, many tools for managing them because they're just text files like every other text file. With the Windows registry, if I want version control or something like that, I have to invent the tools myself. This is a waste of my time unless I am in the business of selling products for Windows.
UNIX is about being generic. Yes, it means Apache and Varnish have different config file formats. But it also means that I already have the tools I need to automate my configuration so I don't have to care.
(Yes, Windows is programmable. But when you start having to compile software to automate your deployment, it becomes engineering and becomes a task of its own. Compare this to a quick command-line oneliner, and you'll see why people prefer UNIX. Engineering is about knowing how much you need to get something accomplished. Sometimes you do need to write highly-advanced configuration software. But other times, you don't. Windows doesn't give you that choice.)
Re: versioning, you can dump the registry in text format with regedit /e and save it to a text file. It's true that you can't keep an svn directory with config files like in Unix, you can still get the same with a few batch scripts that call svn update/regedit. However, more importantly, you hardly ever need to because you can do most of your server management centrally so that you never have to manually work with the registry.
Secondly, it's only true in the most simple cases that you can edit config files easily. First, all config formats are different - from the bizarre (Sendmail) to fairly sensible (Apache), but each one requires separate tools/scripts. Secondly, most of them are quite hard to automate - for example most config formats ignore white space, but writing a robust 'parser' in bash/sed/awk is a major pita and something you can never quite get right. (this is what I alluded to in my previous post). I don't see how you can say 'I already have most of the tools' - you need to learn the syntax and then write a complete program to parse the files. For example, you need somewhat of a state machine to parse/edit Apache VirtualHost directives. You need to write a complete editor from scratch each time.
I'm not sure what you mean with the last line. Just as with a properly set up make environment, you can compile a whole Visual Studio project with a single command from the command line. There is no way to do a bunch of things 'automatically' on Linux either (compile, run test, deploy, whatever), you still need to code them into your makefiles/deployment scripts.
(I've written software on and admin'ed Linux for coming on 15 years and I've written Windows software for over 10 - I have quite a bit of experience with both. They both have good and bad sides, and I run my personal servers on Linux myself. That said, the arguments used here against Windows are plain false and reek of Slashdot-style fanboyism).
> Re: versioning, you can dump the registry in text format with regedit /e and save it to a text file.
The idea of diffing a registry dump fills my heart with horror.
> First, all config formats are different - from the bizarre (Sendmail) to fairly sensible (Apache), but each one requires separate tools/scripts.
I am quite happy editing them with vi or emacs (when available). I also like joe a lot - it reminds me of WordStar.
> you need to learn the syntax and then write a complete program to parse the files.
In about 10 years of Unix, I never had to build anything like this. And, when I wanted to parse my own config files, I always had libraries to do it ready.
> For example, you need somewhat of a state machine to parse/edit Apache VirtualHost directives. You need to write a complete editor from scratch each time.
I think you may be approaching the problem from the wrong angle. Are you trying to build a GUI tool to edit Apache configuration files?
Sure, so am I (well except for Sendmail configs). We were talking about programmatically editing here.
"And, when I wanted to parse my own config files, I always had libraries to do it ready."
Really? How do you, in bash, write a script to change, or if necessary add, an 'IndexAllowed' directive to a certain specific VirtualHost? Mind you, Apache config files can Include other files (and many distros ship with default config files that use this).
"Are you trying to build a GUI tool to edit Apache configuration files?"
I'm not building anything, I was just using this as an example of things you'd want to script, for example in the context of a web hosting provider who wants to automate the creation of new customer setups. (Yes I realize that there are many way to attack this specific problem, but most of them are very specific to Apache and would have to be re-engineered for each problem)
> We were talking about programmatically editing here.
I am not sure it's a good idea. Just generating the files from a CMDB and placing them in the servers seems the simplest approach. I do it. This way I have the nice side effect that anything a sysadmin did directly and manually on the server bypassing the config database (something that shouldn't really be done) gets wiped out as soon as possible.
> in bash
Almost every Unix out there has Python, Perl and Ruby already installed. You don't need to use bash unless you really want it.
Speaking as someone who refuses good money when it involves working on Windows, because no one's offering me enough money for that level of pain...
Seriously, if you claim that a drawback of Windows is that it doesn't allow multi-user login, then it's hard not to ask "WTF are you talking about? Really, what are you talking about? Are you stuck in some circa-1995 reference frame? That doesn't even make sense!"
So I'm not sure that it was a personal remark. It may have just been honest lack of comprehension.
There is a distinction between 'ad hominem' and 'refuting an opponent's ethos'. Somebody made a factual claim about something, therefore implying some form of at least familiarity with the subject at hand. When his arguments show the he lacks even the most basic of such familiarity, then calling that out is not an ad hominem.
Foreword: I've been using various flavors of Linux for a good chunk of the last decade (since 2001) and totally ignored Windows until last year, so I am no Windows fanboy.
2. This may be true for the good old cmd.exe but.. have you tried PowerShell? I've been playing with PowerShell 2 on Windows 7 and found that it leaves little to be desired. It is self-documenting (a-la Emacs). It can be extended using .NET. You can pipe entire objects instead of unstructured text streams. Coming from a strong UNIX background I /am/ impressed and actually think it is way better than a POSIX-compatible shell. I even wrote a couple of scripts [1] to post-configure my Windows 7 installation in a similar way I do on Linux with Puppet [2].
7. This is true even for Windows, in my experience. Every time I do a Google search for troubleshooting I am directed to Microsoft's Knowledge Base or the (free) MSDN website.
11. AFAIK, you can uninstall the GUI component on Windows Server 2008 (you will be left with a heavily stripped down GUI, without the usual graphical shell)
12. It may be a pain but at least it is a consistent way to store configuration settings and it is widely adopted as such. Compare it with the plethora of different configuration file formats used on a typical Linux/Unix workstation (Mac OS X being the exception since they seem to consistently use XML-based property lists almost everywhere). Each system has its strengths and weaknesses but I wouldn't call the Windows Registry "a mess".
I don't comment on your other points either because I don't have enough first-hand experience with it (1, 4, 5, 9, 10) or because I partially agree with you (3, 6, 8).
Anyway, it seems that you're a coming from a strong UNIX mindset and that you try to forcefully shoehorn it to Windows (3rd and 4th points), along with (my guess) lack of experience in certain areas of Windows administration (2nd point).
As for me: I was really impressed by Windows 7. Some things I really miss are a decent Window Manager (but this is true of every commercial OS I've ever tried) and a good software management solution (either a decent, standardized, package manager, an AppDir mechanism like OS X or both).
> I've been using various flavors of Linux for a good chunk of the last decade (since 2001) and totally ignored Windows until last year, so I am no Windows fanboy.
You know there is a fallacy there, don't you? It's perfectly possible to ignore something for decades and still fall in love with it later. I've seen lots of Windows and Linux fanboys fall for OSX and become very annoying in the process.
I can believe you are no Windows fanboy without you presenting credentials.
> [...] It's perfectly possible to ignore something for decades and still fall in love with it later.
> [...] I can believe you are no Windows fanboy without you presenting credentials.
You're right. Sometimes I believe it is better to point out where I am coming from (especially when replying to the "anti-something" kind of posts) to avoid to be seen as a fanboy. I always try to be as unbiased as possible. Maybe I'm just being overly considerate.
it seems that you're a coming from a strong UNIX mindset and that you try to forcefully shoehorn it to Windows
I come from backend server based mindset and find it difficult to shoehorn the concepts there to a desktop operating system. For no justifiable reason. I still see no reason why I must use Windows on my backend.
I fail to see the need to endlessly shoehorn Windows for all my backend tasks(powershell included) when I can get everything of that in a Vanilla linux installation.
If you say Windows is good desktop operating system, you are correct in your own right. But literally there is no comparison between the UNIX and Windows on the server end.
On the similar lines, there are many things in Windows (like directory share on network, printer settings) which are far more easier to use than on Linux.
To say that Windows is a perfectly competent and acceptable server OS that is the equal of Linux for the majority of usecases is a different proposition from saying that you must use Windows on [your] backend, or should shoehorn Windows for all [your] backend tasks
> 1. Windows was never originally designed to work as a Server side operating system at the first place.
That's not exactly correct. Windows NT was designed to compete against Unix in the desktop workstation and non-dedicated server market. It was designed by a team formed mostly by DEC alumni. I call it "the bastard child of VMS" for a reason.
> 8. Unix is open source, its freely available.
Linux and BSD are, but OSX and Solaris are only partially open source and AIX and HP-UX are very proprietary.
> 10. Lack of multiuser login,
I believe Windows servers can currently host more than one user session. I used this with NT TSE and I don't think this feature was removed since the late 90's (when I used it). It may be some idiotic license restriction.
> 11. GUI overhead
Windows' GUI is rather primitive. I can't imagine the resources it consumes are relevant these days. I have seen more sophisticated stuff on Symbian phones.
> I believe Windows servers can currently host more than one user session.
Yes. Windows XP and Server 2003 Standard allow one local login plus two Terminal Server (remote desktop) sessions. Windows Server 2003 Enterprise and Datacenter Editions allow more (but nobody ever bought those flavors because Standard was so much cheaper.) I'm not familiar with Windows 2008 Server but the policies are probably similar.
The limit of two remote sessions in the regular editions is arbitrary, but was chosen mostly for RAM constraints; the windowing environment for each user plus the tasks they're likely to run will consume a few hundred MB of RAM or more. The advanced editions support RAM beyond the 4 GB 32-bit limit.
> they sort of winced and said "Linux... ehhh... it's hard to get Linux doing what you want."
I'd say the company you work for has a humongous and probably incurable HR problem. If this is the kind of IT folks they hire, my best advice would be to run away and stay as far from it as possible.
You can also write a very fun book with the stories you probably witness. I'd buy it.
> This is the problem with getting tech news only from HN.
Most of us have worked one or more tech jobs, and HN isn't the source for the assumption that nobody uses Windows as servers. That nobody is far fetched - of course .net shops will most probably be deploying on Windows; for some reasons most of the Java shop do so as well.
But outside that, Linux or BSD is the favored deployment platform. And the OP's argument basically boils down to server vendors can't afford to not boot Linux, not when Linux has a significant market share.
This could block Linux from booting, but realistically speaking, does anyone believe that will happen? It seems very, very unlikely to me that you won't be able to disable signing restrictions at the firmware level.
Investors are savvier than you'd think. Even on a rumor that the vendor is doing an exclusive lock-in with MS, I'm sure you'd see the stock price dip. Investors spend all their time looking at news reports in their target industry, so I'm sure they'll notice something as big as this.
But what product will they be putting the lock-in on? It may not matter, as we've seen with mobile OSes which, from the perspective of the median buyer, are locked in.
It makes somewhat some sense that MS will do this especially since Hyper-V (VM Hypervisor) is now built-in to Windows8. "Want Linux? You need Windows too..."
This is overblown. However, if this means secure boot hardware is even more widely available, it is a win -- if the keys are under control of the user or his organization, it is a huge security win.
I've long thought that the only place where I allow Windows is in a virtual machine. This seems to hint in that direction: buy a machine that isn't broken (can boot Linux) and do your Windows duties under VirtualBox or something.
It won't happen, and if it does happen, it won't matter.
Can you imagine the Anti-Trust problems this would create? Microsoft is still a big fat target for anti-trust lawsuits and this one is pretty blatant.
And if it does happen, while we're waiting for the Justice Department to end it I'm pretty sure the Linux hackers will find a way around it. When there is a will, there is a way.
chromeos has similar thing, with a developer switch at back basically turns off the signature validation in firmware. what they should worry about is, which CA root to put in there.
> The two alternatives here are for Windows to be signed with a Microsoft key and for the public part of that key to be included with all systems, or
Does it have to be directly signed by that key, or does it work like the CA system that web browsers use?
> A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux. [ from the blog post rather than the article ]
Which tells us that either systems will not ship with only those keys, or there will be a simple way to disable this ("Press F2 for setup"), or somebody will be getting sued on antitrust grounds (which maybe would be ignored again in the US, but not the rest of the world) and forced to provide a workaround.
No one seems to have mentioned the impact this will have on Live systems. I'm frequently called on by Windows users to recover lost data on corrupted systems, which I do using a Live Linux distribution (especially when they have discarded their installation media & access keys, and have no interest in investing money in continuing using Windows if I can give them a free alternative to getting online). How will I be able to do that for people with Windows 8 computers?
I'm sure I'll be able to find unsigned hardware for my personal use, but it's the interoperability that concerns me.
It certainly won't get easier to install a Linux dual-boot. It is already difficult enough as it is:
* Windows PCs without installation medium
* Windows installation with a full partitition table (four primary partitions)
* (intentionally?) corrupted partition tables
I.e. installing GNU/Linux requires you to resize partitions with a potentially corrupted NTFS file system and/or delete backup partitions. Alternatively the user uses a Windows image file as Linux file system (Wubi) which is slower and a more fragile solution.
Linux (on the desktop) is probably of little or no concern to Microsoft at this point. They've got bigger problems to worry about. If they want to focus on making computers sold with Windows offer the best possible experience it will benefit the most people. Possibly it will make things harder for Linux users but from Microsoft's perspective if the OEM is shipping Windows there's no reason to consider Linux as part of the equation.
My personal opinion is that it is indeed little concern, but a little concern to many parts of MS, which compared to many other companies may well look like a dedicated anti-linux corporation that outnumbers them.
But what is "Linux"? If it were a package you could buy in a box from the store, the manufacturer would just sign a contract with OEMs to have a suitable key present in all manufactured computers, but Linux isn't like that. What if I want to compile my own kernel in order to try out an experimental feature, or help test a driver? What if I need to upgrade my boot-loader?
The only alternative to 'blocking Linux' is 'allowing anything to run', and if manufacturers were happy to allow that, they wouldn't bother with these features in the first place.
I'm sure there'll still be lots of computers that are capable of running Linux - multi-thousand dollar servers and high-end workstations; the kind of computers you buy through your account manager. It seems pretty sensible to block unauthorised OSs on low-end computers — the kind that ship with OS X or Windows Basic, the kind where minimizing support costs is vitally important.
Unfortunately, that's the same market segment where I and everybody I know got their start: taking over an old Windows box and putting Linux to see what the fuss was all about.
Could it be that the "fear-mongering" and subsequent outrage is a major reason why we didn't have this kind of lock-down 5-10 years ago?
I thing mjg's wait-and-see approach is good to do. Not panic yet. But certainly not to forget either - keep an eye out, see how it develops, and be prepared to oppose lock-down through various channels should it come (and hopefully before it is to late).
If this makes it into real hardware I expect the EU to reopen their case against Microsoft fairly quickly on anti-competitive grounds. There are to many governmental institutions and businesses dependent on linux for their day to day work for this to go unchallenged.
There was a time when Windows Logo was considered prestigious, respectable and trendy thing.
With such a practice Microsoft is quickly approaching a time when Windows Logo will be perceived like a hot-iron branding of robbers and other criminals in the medieval era.
Does this effect dual booting OS X? I doubt the side-effect of blocking Linux boots was anything but a coincidence. But could Microsoft be fearful of Hackintoshes becoming more popular and a increase of OS X running on non-Apple hardware?
> Does this effect dual booting OS X? I doubt the side-effect of blocking Linux boots was anything but a coincidence. But could Microsoft be fearful of Hackintoshes becoming more popular and a increase of OS X running on non-Apple hardware?
I doubt it. Whilst I don't mean to belittle the hard work that goes into the hackintosh projects out there, we're talking about a tiny, tiny group of people that probably have an imperceptible impact on MSFT's bottom line.
Hackintoshes a threat to Windows? No offense, but that's laughable. It's been awhile since I put together one but it's such a huge pain in the ass that even most people capable of putting OS X on ordinary hardware won't bother.
If the UEFI could be made to handle multiple keys, and allow the owner to enter them into the firmware, then this could work. One more step in the setup but a more secure system overall.
But even if this was true, there is still ways around this right? I mean rEFIt does a pretty good job booting up Linux in Mac, so wouldn't this be possible in those PC's as well?
Wouldn't this draw anti-trust battles? Since complying with EFI signing is against the license of one of the only other major alternatives to Windows, this would not bode well for Microsoft.
Could be -- it sounds like a possible "tie-out" (a variation on tie-in). AFAIK There haven't been many tie-out cases, but as antitrust litigator George Gordon [1] put it a few years back, "The term “tie out” is often used to refer to arrangements in which a license prohibits a licensee from dealing in and/or developing competing, noninfringing technologies. [Footnote omitted] Such arrangements have been found to be intellectual property misuse and could form the basis for an antitrust claim as well." [2]
If MS were to do something like this, I imagine Gary Reback [3], its nemesis in previous antitrust battles, would be all over it ....
> Wouldn't this draw anti-trust battles? Since complying with EFI signing is against the license of one of the only other major alternatives to Windows, this would not bode well for Microsoft.
And who do you expect to pursue this anti-trust?
The US government?
Oh, I didn't realize you were joking! ha ha, funny.
The US government is owned by big corps, MS being one of them. Something really weird has to happen for them to turn against their corporate masters. (And don't compare it to the previous anti-trust case - at the time, microsoft wasn't lobbying and paying, sorry, donating to, politicians from both parties)
Summary : Machines that have the "Windows 8" logo must have UEFI, which means the bootloader must be signed with a key that's in the BIOS. Additionally the OS can use the keys to check other signed code : device drivers etc.
My conclusion : A smart vendor will include a signed program that will manage said keys in the BIOS.
Like I suspected, this entire thread has been turned by zealots into a Microsoft-bashing exercise.
I genuinely dispair for people who spend their entire time platform bashing and don't add something constructive to the discussion or tar and feather a side religiously. It paints a very bad picture of the "startup culture" amongst more established organisations.
I use ubuntu but surely my harddrive is full of malware (boot system compromised). Linux is for hacker playing with backdoors. I like free software and linux, but if I need a secure system, I should have to pay the prize of using windows 8.
Supporting hardened boot is not the same as requiring it. Microsoft already utilizes this for BitLocker. You can still install Linux on a machine that supports hardened booting and signed images. You just can't enable hardened boot unless you use signed images.