Adobe “sabotaging” HTML5

Daringfireball linked an intriguing statement in Ian Hickson’s blog about Adobe apparently doing something “behind the scenes” to scuttle the canvas component of the HTML5 spec.

Net result: the latest publication of HTML5 is now blocked by Adobe, via an objection that has still not been made public (despite yesterday’s promise to make it so).

Gruber then linked to a rebuttal by Larry Masinter. (I’m not sure whether his framing of the rebuttal was sarcastic; mine would have been.)

I’ve been working on web standards since the beginning of the web in the early 90s, and standards for even longer; long before I joined Adobe. (Note 1) …

I’ve never seen anything as bad as this one, with people abusing their official positions to grandstand and promote proprietary advantage. I’ve blogged some about this, but I’d rather fix things along. (Note 2) …

The organization of work in W3C is determined by the “charters” of working group and the “scope” of he charters, so saying work is “out of scope” even if you are marking a snapshot of the (already published) documents as “Working Draft”, means you might rewrite the “Status of This Document” section to say that it might move. That’s what I was asking for, in the somewhat stilted language of “objection”. (Note 3)

Note 1: translation “I know that the trick with standards bodies is understanding how to manipulate procedural crap versus actually discussing stuff on its merit”

Note 2: “fix things along” — by arguing that the canvas API is out of scope for HTML5 unless the working group’s charter is redrafted.

Note 3: thanks for making that so clear.

The Ajaxian has a fascinating article on the subject (which obviously had its name changed, if you compare the URL to the current heading):

Sam Ruby: … while Paul requested that Larry post the substance of his objection on public-html yesterday, and Larry indicated that he would do so, to the best of my knowledge this has not been done

If nothing else, there are issues with consistency. Either it was public since whenever, or Larry Masinter is going to make it public shortly — but not both.

But heck, just go visit the email archives directly.

It basically seems to come down to something like this: the working group’s charter does not include 2D graphics, which means it shouldn’t be producing documents about 2D graphics. But they are supposed to be speccing out HTML5, which includes a canvas element, so that’s in scope. No problem. But explaining what the canvas element does (which is, without describing its JavaScript API, precisely nothing) is, based on 2D graphics not being in scope, not in the charter. But, two years earlier, when this was pointed out, the chair decided that it was in scope because, say, speccing out an element without speccing out WTF it does is kind of pointless.

Masinter points out that at some point in the past, 2D graphics were in the charter (edit: correct link) and were explicitly removed. (Why? What was the context? Maybe the point was that singling out 2D graphics was pointless given the scope of the document. In other words, if we claim our goal is to take over “The World and Belgium”, does removing “and Belgium” from the list mean we’re no longer trying to take over Belgium? Does he object to the <audio> tag’s API being documented?)

Here’s what’s in the WHAT-WG HTML WG charter under Deliverables:

  • A language evolved from HTML4 for describing the semantics of documents and applications on the World Wide Web. This will be a complete specification, not a delta specification.
  • An extensible, serialized form of such a language, using XML.
  • A serialized form of such a language using a defined, non-XML syntax compatible with the ‘classic HTML’ parsers of existing Web browsers.
  • Document Object Model (DOM) interfaces providing APIs for such a language.
  • Forms and common UI widgets such as progress bars, datagrids, menus, and other controls.
  • APIs for the manipulation of linked media. (Edit: hilited this as well.)
  • Editing APIs and user-driven WYSIWYG editing features. (And this.)

(Edit: the WHAT-WG charter doesn’t appear to have a scope, so arguments about what’s in it are somewhat moot. Its deliverables include “Web Applications 1.0: Features for Application Development in HTML.” It’s hard to think of something more pertinent to this than API documentation for HTML5 tags.)

So, apparently (and the emphasis is mine) documenting the DOM API for every tag is explicitly in scope, but canvas is a special case because “2D graphics” aren’t explicitly in scope? Note that “video” or, heck, “text” aren’t explicitly in scope either. So are they “out of scope too”? (Edit: and in fact if you’re building a WYSIWYG editor in HTML5, why would canvas be irrelevant? Or must WYSIWYG editors only handle text?)

This is procedural bullshit, plain and simple.

If only it had market share, it would have Security Vulnerabilities

The revelation that the security flaw exploited to win a hacking competition last week was related to Java applets that used QuickTime is very interesting because of the usual argument that Macs are only seen as less vulnerable because they have a smaller installed base. Well QuickTime doesn’t have a “smaller installed base”. Its installed base is highly comparable to that of, say, Internet Explorer, Microsoft Office, or Windows Media Player. Indeed, given that Apple is less likely to rev QuickTime randomly (Windows Media Player 11 anyone?) and that iTunes and iPods are highly linked to the latest version, the chances are that its market penetration exceeds any of these products. Is that not interesting?

Here’s QuickTime 7’s stats from (hey, they’re biased against Apple*, but then who isn’t in the security industry. Until we can get Mac users buying third party firewalls and antivirus software, we’re going to keep telling everyone they’re an accident waiting to happen). Note that these stats include the vulnerability exploited in the CanSecWest competition.

Here’s Internet Explorer 7’s stats (note that most folks are probably using Internet Explorer 6 still). IE7 has a similar number of vulnerabilities in a shorter timeframe, but they’re more critical and far less likely to have been patched. (And remember, Secunia is the company that treats a trojan you need to download and type an admin password to install on a Mac as highly critical, while a vulnerability that can take over your PC if you just visit the wrong website is not.)

Here’s Microsoft Office 2003’s stats. Quite a few vulnerabilities, almost all remote, and, oh look, one in six is unpatched.

There are so many versions of Windows Media Player that linking them all would be kind of tedious. Windows Media Player 11 so far has no listed vulnerabilities. Here’s WMP 9 and WMP 10 though.

Given that the vulnerability is an interface between code which relatively few people care about (Java) and code that gets a lot of attention (QuickTime), I suspect that it will probably turn out that some previously identified buffer overflow vulnerability that was fixed for QuickTime via more popular and conventional paths (e.g. the browser plugin) was not fixed for the Java QuickTime API.

Conclusion: Apple just writes better software than Microsoft, and doesn’t leave critical vulnerabilities unpatched for years. But we knew that already.

Note: * Secunia, biased? Say it isn’t so. Here’s a vulnerability in IE that can make an arbitrary malicious file appear to be an html file when you “Save As…”. Note its criticality. Here’s an “extremely critical” vulnerability in Mac OS X (note that Mac OS X is one product, like Windows XP Home Edition). It’s listed as partially unpatched because, apparently, you can still execute shell scripts that are placed in an archive manually. OMG really? Gimme Outlook 2000 which won’t let me extract .exe’s from email attachments even if I sign a release in triplicate. Yeah. That would fix it.