Perhaps a declaration of technical principles would be a better term, but regardless the necessity of finding a means (beyond licenses out of necessity) to secure our software from outside meddling seems to be all the more essential the more I think about it. There are approximately 90 CVE's (70% due to memory safety) in each Linux kernel major version, many of which remain outstanding even after moving to the next version, with the average lifespan between 3 and 6 years for "high" and "critical" bugs. The Linux kernel is now approaching 28 million lines of poorly documented code, making it completely beyond what a actual audit is capable of assessing, beyond comprehension. More than this the development of the kernel and funding of the foundation are almost entirely in corporate hands. Linux is but a example, every large component of major infrastructure (and rest assured if it's major infrastructure it will become large) suffers from similar plights.
What I'm not attempting to advance here is the suckless philosophy. In my opinion suckless goes beyond attempting to restrict the scope of their projects to an obsession with SLOC to the point of harming correctness and completeness (for a sound list of necessary features see here: http://www.loper-os.org/?p=284).
They do not document their programs, following the mantra that code is documentation (which is true but insufficient). Additionally they fail to critique the accepted protocols and divisions of applications, which would allow them to not only make more correct complete software, but also to make in aggregate simpler software. As a example why make a separate windowing system, terminal multiplexer, terminal emulator, and text editor when these things could all be combined as extensions of one another. Why separate your text editor from your web browser? Why work with text streams and the file system instead of having a single address space? Why take X-Server for granted rather than building of Linux's frame-buffer.
What issues is it that I'm pointing at here exactly:
a) scope creep
b) illiterate programming
c) unquestioned assumptions (primarily those given to us by unix)
d) over-optimization (understandability, and completeness should be prioritized over micro-optimizations)
e) insecure technologies (for example unassisted manual memory management, and unchecked type wraps)
f) incomplete software (corner cases handled etc)
Can you think of any more, or a consolidation of the terms listed here?
23 posts and 4 images omitted.