Re: [Interest] Roland Qml
On 14/07/2020 13:24, Roland Hughes wrote: > They have no formal education with respect to computer science. So you're implying that CS education has anything to do with the ability to write good code? Some of the best programmers I know, far beyond the capabilities of me, perhaps you, and a vast majority of other coders on this planet, have no "formal education [in] computer science". And having taught programming to people at universities, having worked with people who graduated as a CS bachelor or master from universities, I can 100% assure you that education and skill form nothing more than a correlation, and drawing the causation the way you did (amidst some very biased generalisations) is a logical fallacy at best, and harmful misdirection at worst. I haven't followed the entirety of this thread (as it's split into a few different threads for some reason). I can understand some disdain against the "dumbing-down" of programming nowadays and I'm personally not fond of QML (in it's current state) either. But you suddenly jump from "JavaScript is insecure" to "medical devices running JavaScript will kill patients". Making mistakes can happen in every language, and I'm sure quite a few people have died because of technical issues in c++ code as well. JavaScript might be more error prone -- of course -- but I wouldn't really blame QML for that. If you use JavaScript in QML for anything other than visual logic, without any validation, unit tests, fuzzing, QA, etc. then you're a bad coder. You're a bad coder *not* because you're from an off-shore country, *not* because you're using JavaScript, and *not* because you're using QML. You're a bad coder because you have made bad decisions and that happens in every language. I've witnessed enough bad c++ Qt coders in my life to conclude that. sincerely, Jonathan Purol ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] Roland Qml
On Tuesday, 14 July 2020 04:35:28 PDT Roland Hughes wrote: > On 7/14/20 5:00 AM, Thiago Macieira wrote: > >> When QML was first pitched back in the Nokia days, it was supposed to be > >> a script that ran through a pre-compiler generating the C++ widget code. > > > > No, it wasn't. > > Yes it was. I got that exact pitch. It was supposed to replace the > problem prone XML based UI files and buggy designer of the day. At that > time the designer was notorious for corrupting UI files forcing one to > open them with a different editor to fix. Having a plain text "language" > that was easy to code and would pre-compile to widget code was a great > selling point. Again, no, it wasn't. I was there. I was the product manager in question. You're confusing the QtDeclarative library and QML with the previous attempt called WidgetsNG (which in turn was a re-iteration of a previous effort called ItemViewNG). WidgetsNG was based on QGraphicsView and its stated intent was to bring proper widgets onto QGraphicsView, with support for animations and transformations. It had an XML language that, like with uic, would compile to C++ at build time. QtDeclarative never had compilation to C++. I don't remember if the file format was XML back then or whether it was already JS based, but by the time the Oslo team was involved in the effort the whole thing was processed at runtime. This was before anything was sent outside of Nokia. > That's what the Nokia developers were talking about in the Chicago area. > They were going to get rid of XML, giving us something that looks much > like QML, having no logic capabilities, just screen layout, that would > be 100% compiled. > > What we got was an interpreted language massive security risk. I don't know who you were talking to. There were no Qt development offices in the Chicago area. Either you were talking to sales people or you were talking to Nokia developers who had nothing to do with Qt. It might have been a customer-meeting trip where product managers (like me back then) would have been present to gather customer input, but not with the actual developers. Trips from Australia are mighty expensive. If that was the case, then nothing was sent in stone. It might even have been WidgetsNG time, which was presented in one session at one Qt Developer Days I think. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel System Software Products ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] Roland Qml
Il 14/07/20 13:35, Roland Hughes ha scritto: When QML was first pitched back in the Nokia days, it was supposed to be a script that ran through a pre-compiler generating the C++ widget code. No, it wasn't. Yes it was. I got that exact pitch. Are you calling the person who has maintained QtCore for the last 10+ years, who has worked directly first under Trolltech and then Nokia, who has been the release manager for a number of Qt releases (just before 4.7, which publicly introduced Qt Declarative) a liar? It was supposed to replace the problem prone XML based UI files and buggy designer of the day. At that time the designer was notorious for corrupting UI files forcing one to open them with a different editor to fix. Having a plain text "language" that was easy to code and would pre-compile to widget code was a great selling point. "Notorious" is hearsay and unwarranted. -- Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Senior Software Engineer KDAB (France) S.A.S., a KDAB Group company Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com KDAB - The Qt, C++ and OpenGL Experts smime.p7s Description: Firma crittografica S/MIME ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] Roland Qml
On 7/14/20 1:24 PM, Roland Hughes wrote: On 7/14/20 5:00 AM, interest-requ...@qt-project.org wrote: (snip) When I was at a client site just over a year ago they were using an off-shore team that tried to do 100% of the project in QML and JavaScript because you can find those people for absolutely no money. They have no formal education with respect to computer science. Just read half a "Teach Yourself How to Be Totally Useless or Less in 24 Hours" type book on JavaScript and hung out a shingle. I opened the binary with, I think SublimeText, perhaps KATE, doesn't matter, just a text editor. There it was. All the JavaScript code. I know because in the other frame I was looking at the actual source. The developer sitting beside me didn't believe me. He used Eclipse for everything. Ba-da-bing ba-da-boomb there it was. (snip) Hello Roland, I'm pretty sure you understand how your message breaks our Code of Conduct, and making those generalized bias comments about developers using other programming languages from different countries is not admitted in this mailing list. I'm certain The Qt project has many people that come from different backgrounds, and not because they didn't have "a formal CS education" means that they will produce bad code or harm any project. As someone from an "off-shore" country, I kindly ask you to stop generalizing your own experiences, and maybe find a different platform to share those thoughts. Cheers -- Dr. Cristian Maureira-Fredes R&D Manager The Qt Company GmbH Erich-Thilo-Str. 10 D-12489 Berlin Geschäftsführer: Mika Pälsi, Juha Varelius, Mika Harjuaho Sitz der Gesellschaft: Berlin, Registergericht: Amtsgericht Charlottenburg, HRB 144331 B ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] Roland Qml
On 7/14/20 5:00 AM, Thiago Macieira wrote: When QML was first pitched back in the Nokia days, it was supposed to be a script that ran through a pre-compiler generating the C++ widget code. No, it wasn't. Yes it was. I got that exact pitch. It was supposed to replace the problem prone XML based UI files and buggy designer of the day. At that time the designer was notorious for corrupting UI files forcing one to open them with a different editor to fix. Having a plain text "language" that was easy to code and would pre-compile to widget code was a great selling point. That's what the Nokia developers were talking about in the Chicago area. They were going to get rid of XML, giving us something that looks much like QML, having no logic capabilities, just screen layout, that would be 100% compiled. What we got was an interpreted language massive security risk. -- Roland Hughes, President Logikal Solutions (630)-205-1593 http://www.theminimumyouneedtoknow.com http://www.infiniteexposure.net http://www.johnsmith-book.com http://www.logikalblog.com http://www.interestingauthors.com/blog ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] Roland Qml
On 7/14/20 5:00 AM, interest-requ...@qt-project.org wrote: Let us not forget that QML+JavaScript is completely insecure in the OpenSource world. All of that JavaScript gets stuffed into the binary you ship as free text. Anyone with a decent text editor can read/extract your super secret proprietary algorithms. Worse yet, anyone with enough patience can change a binary in the field. Then use some filesystem-level protection mechanism like dm-verity. That will prevent replacing the binaries altogether, whether done by the way of editing some text inside or by recompiling. PS: QML is usually not found in clear text inside the binary because rcc attempts to compress and text compresses really well. You need to actually reverse engineer to find the compressed text content. It's not very difficult, but it is one step up from trivial. When I was at a client site just over a year ago they were using an off-shore team that tried to do 100% of the project in QML and JavaScript because you can find those people for absolutely no money. They have no formal education with respect to computer science. Just read half a "Teach Yourself How to Be Totally Useless or Less in 24 Hours" type book on JavaScript and hung out a shingle. I opened the binary with, I think SublimeText, perhaps KATE, doesn't matter, just a text editor. There it was. All the JavaScript code. I know because in the other frame I was looking at the actual source. The developer sitting beside me didn't believe me. He used Eclipse for everything. Ba-da-bing ba-da-boomb there it was. This is the identity theft (or worse) security breach Qt has unleashed upon the world. There is no safety in the environment. Things have been dumbed down so people with no formal training can purchase a license and ticking time bombs are being released every day. I lay awake at night filled with complete dread about the medical devices previously and currently being developed using dirt cheap low skilled off-shore teams because they are "priced right" trying to do the entire thing in QML and JavaScript. A token few will even believe that one & done OpenSource security is actually secure so they won't optically isolate network communications from the actual device via an I/O appliance with its own processor and memory. They get in, open up the binary with a text editor, change what the JavaScript does, then save the binary. To the doctors and nurses it looks like the 100+- other of these devices the hospital has. This one, at random intervals, kills patients. It will be months and perhaps thousands of dead patients before anyone suspects anything, depending on the device. Something like a ventilator people don't have high survival rates being on in the first place. An infusion pump for a cancer patient would attract slightly more suspicion by offing cancer patients where the disease was caught early. All because the JavaScript was brought along in the binary as text. How about all of those "apps" in the app stores written by people with no formal training "because they can" with QML? They won't kill people, but they could make the Equifax breach look small time. -- Roland Hughes, President Logikal Solutions (630)-205-1593 http://www.theminimumyouneedtoknow.com http://www.infiniteexposure.net http://www.johnsmith-book.com http://www.logikalblog.com http://www.interestingauthors.com/blog ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
[Interest] Reminder: Qt Code of Conduct
Hi, This mail is being posted to all of the mailing lists individually, but not cross-posted because that is an invite to create havoc so for those on multiple mailing lists then I apologise for the fact you will get this more than once. The Qt Code of Conduct was created and agreed upon back in October 2018 and we have had a lot of new contributors and people joining the Qt community that it is time for a reminder that the Qt Code of Conduct exists and that it is worth refreshing everyone's memory about it. I am happy to say that the communities conduct as a whole is generally positive and aside from issues occasionally things are going in the right direction and this community is a good place to be a part of. That said, it does not hurt to look at the Qt Code of Conduct again, or maybe in some cases for the first time which you can find here: http://quips-qt-io.herokuapp.com/quip-0012-Code-of-Conduct.html I would like to add that this email is not an invitation to discuss the content of the Qt Code of Conduct whether you agree with it or not, but merely to remind people that it exists for the benefit of everyone who is part of the Qt community. The Qt community has been a fundamental aspect of the Qt Project since the beginning, let's keep having a nice and welcoming environment to everyone. Thank you for your time, Andy -- Andy Shaw The Qt Company ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest