There is a scene in the pirates of the carribean I think of a lot. "You are without a doubt the worst pirate I have ever heard of" "Ah, but you have heard of me."
He kept the scope down. He shipped. It was hugely successful. In the end it was overtaken and rightly so, but that doesn't invalidate the success it had.
"For all the folks getting excited about my quotes. Here is another - Yes, I am a terrible coder, but I am probably still better than you :)" -Rasmus Lerdorf
And who remembers how careless, reckless, and blithe he was with the PHP 5.3.7 release he didn't bother to test because running tests was too much of a hassle because there were already so many test failures that wading through them all to see if there were any new ones was just too much to ask of him, the leader of the widely used project, in charge of cutting releases?
>5.3.7 upgrade warning: [22-Aug-2011] Due to unfortunate issues with 5.3.7 (see bug#55439) users should postpone upgrading until 5.3.8 is released (expected in a few days).
No seriously, he's literally as careless as he claims to be (when he says that repeatedly, you should believe him!), and his lack of giving a shit about things like tests and encryption and security that are extremely important has caused actual serious security problems, like breaking crypt() by checking in sloppy buggy code that would have caused a unit test to fail, but without bothering to run the unit tests (because so many of them failed anyway, so who cares??), and then MAKING A RELEASE of PHP 5.3.7 with, OF ALL THINGS, a broken untested crypt()!
Do you think that's just his sense of humor, a self deprecating joke, breaking then releasing crypt() without testing, that's funny in some context? What context would that be? Do you just laugh and shrug it off with "Let Rasmus be Rasmus!"
>You can see the code coverage, test case failures, Valgrind reports and more for each branch.
>The crypt change did trigger a test to fail, we just went a bit too fast with the release and didn't notice the failure. This is mostly because we have too many test failures which is primarily caused by us adding tests for bug reports before actually fixing the bug. I still like the practice of adding test cases for bugs and then working towards making the tests pass, however for some of these non-critical bugs that are taking a while to change we should probably switch them to XFAIL (expected fail) so they don't clutter up the test failure output and thus making it harder to spot new failures like this crypt one.
And don't even get me started about mysql_real_escape_string! It has the word "real" in it. I mean, come on, who would ever name a function "real", and why?
That implies the existence of a not-so-real mysql escape string function. Why didn't they simply FIX the gaping security hole in the not-so-real mysql escape string function, instead of maintaining one that was real that you should use, and one that was not so real that you should definitely not use, in the name of backwards compatibility?
Or were there actually people out there using the non-real mysql escape string function, and they didn't want to ruffle their feathers by forcing those people with code that had a security hole so big you could fly a space shuttle through to fix their gaping security holes?
The name of the function "mysql_real_escape_string" says all you need to know about the culture and carelessness and lack of security consciousness of the PHP community.
Melania Trump's "I REALLY DON'T CARE DO U?" nihilistic fashion statement sums up Rasmus Lerdorf's and the PHP community's attitude towards security, software quality, programming, standards, computer science, and unit tests.
> "For all the folks getting excited about my quotes. Here is another - Yes, I am a terrible coder, but I am probably still better than you :)" -Rasmus Lerdorf
Well, he shipped, met his user's needs, met the markets needs and generally hit all the necessary bullet points to make a successful and lasting impact on the world. If he didn't meet some requirement that you have, like memory safety, its because it wasn't necessary.
Checking off the required stuff and leaving the optional stuff for later is the sign of a good coder.
> his lack of giving a shit about things like tests and encryption and security that are extremely important
Woah there, cowboy! It turned out his take was correct, because it continued dominating over all those other technologies which cared about the thing you cared about.
Being correct is better than being elegant, clean, or bug-free.
> This is mostly because we have too many test failures which is primarily caused by us adding tests for bug reports before actually fixing the bug. I still like the practice of adding test cases for bugs and then working towards making the tests pass, however for some of these non-critical bugs that are taking a while to change
That's just a different way of saying "We didn't have enough resources to make the fixes go quicker". What's the alternative here? Don't log the bug? Don't make a test to repro the bug?
> Why didn't they simply FIX the gaping security hole in the not-so-real mysql escape string function,
You sound like you've never been in a professional development shop at all. The reason that things hang around seemingly forever is because someone is using it!.
It's the amateur mickey-mouse outfits that remove stuff which users are still using. It really is the equivalent of "Don't break userland".
No professional worth their salt breaks their existing users without a very good reason. This is why Microsoft is still shipping broken win32 functions that were written in 1998. It's why Linus insists "Don't break userland".
If you want to level up to professional level when shipping software, you're going to be shipping a lot of mistakes that you already know about.
On the whole, your comment makes Rasmus look like more of a professional than you.
Your argument that it's correct to not give a shit about tests and security and encryption and memory leaks simply because lots of people are using the project is upside-down, extremely unprofessional, and downright dangerous.
He shipped, but he didn't meet his users or the Internet community's needs, because his users and the Internet at large need safe reliable systems that somebody's actually bothered running the existing unit tests on, instead of security theater, Dunning-Kruger evangelism, and knee-jerk apologetics like your defeatist and fatalistic acceptance and justification of the status quo.
Trotting out Win32 to justify PHP's flaws is pretty unhinged. I'm unsure you're not just a parody account. A serious person would realize they've run out of valid arguments and re-examine their priors before making such an embarrassingly bottom-of-the-barrel justification.
Thomas Midgley Jr. also shipped and made a lasting impact on the world. Changing the world is not the only measure of success, nor justification of harmful impact.
>His legacy is one of inventing the two chemicals that did the greatest environmental damage. Environmental historian J. R. McNeill stated that he "had more adverse impact on the atmosphere than any other single organism in Earth's history." Author Bill Bryson remarked that he possessed "an instinct for the regrettable that was almost uncanny." Science writer Fred Pearce described him as a "one-man environmental disaster".
> Your argument that it's correct to not give a shit about tests and security and encryption and memory leaks simply because lots of people are using the project
That's not my argument. My argument is that while you might give a shit about $THINGS-DON-LIKES in code, the actual market is requiring much more stringent sink-or-swim product decisions.
So, yeah, for you what the market values in that product may be irrelevant to what you value in that code.
> He shipped, but he didn't meet his users or the Internet community's needs,
Obviously he did - he dominated over other languages, even though PHP had next to no marketing budget and was competing against products that had millions, or hundreds of millions, spent on marketing.
The market clearly preferred the product he provided.
> because his users and the Internet at large need safe reliable systems that
Your opinion on what those users needed differs greatly from what those user's expressed that they needed. What $DON thinks other people need is irrelevant when those same other people have opinions of their own.
> I'm unsure you're not just a parody account.
I'm sure you do. I'm not sure how that is relevant.
You're once again making the mistake of assuming that your opinion is actually relevant. It's not, to this argument, relevant at all. All your skepticism about my intention only digresses from the main argument, which is what you thought was good for product delivery turned out to be rejected by the market.
> [snipped digression]
The long and short of it is, your acerbic opinion on what the market needed in 1998 differed greatly from what the market actually chose.
Now, you might make a different argument: that the user's should have chosen a better product.
But the argument you made was that the product made the wrong trade-offs when trading off security for existence.
To my my knowledge, there is no product in the world that makes the trade-off you suggest[1], which is what lead me to believe that you have never been part of a product development.
[1] Remember that even Microsoft made the "make it first, then make it secure" decision with almost their entire product line since the 80s. When the richest companies in the world are making this sort of decision and successfully delivering world-dominating products, there's no question of "Is Don wrong?", it's more a question of "When will Don realise it?"
If you were serious, you would be capable of making much better arguments, and be able to address the ones I made, instead of doubling down on your praise and water carrying of Win32's and PHP's mediocrity and insecurity, and defense of Rasmus's arrogant and negligent carelessness.
Doubling down on your arguments is like bragging about shooting your puppy the face and claiming you stared down Kim Jong-il, instead of just admitting you made a mistake. It doesn't save face as much as you'd like to imagine, or lend any credibility to your self-aggrandizing claims of seriousness and professionalism. You must be fun to work with. /s
> If you were serious, you would be capable of making much better arguments,
The argument I made, viz user's needs from a product are quite different to what you imagine their needs are, is enough. It's actually a self-evident assertion in many contexts.
All the successful products from that time paid little to no attention to security. Phones, operating systems, ERP software, instant messaging. I don't see how PHP was different in this regard.
Nothing and no one was paying attention to security: you could (and I did) send email by simply telnetting to a server and talking SMTP to it. The internet was not a place where security was a large consideration. The only secure thing was https, which few places used.
You, on the other hand, are quick to call someone a shill, quick to impugn someone else to make your argument look stronger and ignore any arguments made in favour of what your emotions tell you.
