RE: pastebinit default target on Ubuntu
For awareness, with my Debian Maintainer hat on and also my upstream pastebinit contributor hat on: Today version 1.7.0 of pastebinit was tagged in GitHub. It includes many improvements since 1.6.2 and includes the dpaste.org addition. Note that while I think there's specific overrides for Ubuntu and Debian, the 'default' of pastebinit upstream is now bpa.st. We can relatively quickly add code logic *in* pastebinit that changes the default for Ubuntu to bpaste.org or such. 1.7.0-1 was uploaded to Debian today but can be rapidly updated if needed to add Ubuntu logic. Or we can distropatch that in with a merge or such. Thomas -Original Message- From: ubuntu-devel On Behalf Of Marco Trevisan Sent: Thursday, April 25, 2024 07:28 To: Timo Aaltonen Cc: Sergio Durigan Junior ; Robie Basak ; ubuntu-devel@lists.ubuntu.com Subject: Re: pastebinit default target on Ubuntu Hey, On apr 16 2024, at 8:23 am, Timo Aaltonen wrote: > Sergio Durigan Junior kirjoitti 15.4.2024 klo 20.51: >> dpaste.com also runs a proprietary backend, so I'm -1 on using it. >> There's dpaste.org, which is FLOSS and doesn't seem to load any ads. > > dpaste.org seems like a fine alternative, so +1 here too Oh, I totally agree with this, and supporting dpaste.org was easy enough: - https://github.com/pastebinit/pastebinit/pull/5 (for those who wants to use it already, just add that config to ~/.pastebin.d and adjust ~/.pastebinit.xml accordingly). -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
Hey, On apr 16 2024, at 8:23 am, Timo Aaltonen wrote: > Sergio Durigan Junior kirjoitti 15.4.2024 klo 20.51: >> dpaste.com also runs a proprietary backend, so I'm -1 on using it. >> There's dpaste.org, which is FLOSS and doesn't seem to load any ads. > > dpaste.org seems like a fine alternative, so +1 here too Oh, I totally agree with this, and supporting dpaste.org was easy enough: - https://github.com/pastebinit/pastebinit/pull/5 (for those who wants to use it already, just add that config to ~/.pastebin.d and adjust ~/.pastebinit.xml accordingly). -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
On Tue, Apr 16, 2024 at 05:54:47PM +1200, Michael Hudson-Doyle wrote: > > The current behavior of paste.ubuntu.com, and what I assumed was the > > driver for moving away from this as a default, was that it requires a > > login to VIEW the contents of the pastebin. AFAICS this is not > > justifiable on the basis of preventing abuse with illicit/illegal > > pastes, that's already addressed by requiring login on the submission > > side. > I think the current behaviour is to require login for at least one of > submission or view, so a paste created while logged in can be viewed > anonymously and a paste created anonymously (e.g. by pastebinit, which I > don't think supports logging in?) requires a login to view. Ok, I was unaware of this nuance. That being the case, I don't think "login required" is a sound argument for a default other than paste.ubuntu.com. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
I think we should be pointing it back to paste.ubuntu.com, because our existing users expect it will go to a distro owned pastebin, and we should remain consistent. I am also all for keeping user data on IS controlled assets, we don't exactly know who controls dpaste, and if they parse dmesg or ceph logs for call traces etc that might contain juicy data. For the login issue, perhaps we could do a quick entropy test on the uploaded data. Log data is very repetitive, even on long logs, so it will have low entropy. Base64 encoded data will have high entropy. We just reject any high entropy submissions, and remove the login to view requirement. I use pastebinit all the time, and it would be nice to default back to paste.ubuntu.com. Thanks, Matthew On Tue, 16 Apr 2024 at 08:44, Stéphane Graber wrote: > > On Mon, Apr 15, 2024 at 4:14 PM Steve Langasek > wrote: > > > > On Mon, Apr 15, 2024 at 04:48:17PM +0100, Robie Basak wrote: > > > Prior to Noble, the pastebinit command defaulted to paste.ubuntu.com. In > > > Noble, this has changed to dpaste.com due to an upstream change[1]. > > > > > What do Ubuntu developers think the default should be? If it should > > > remain paste.ubuntu.com, we can ask upstream to change it back, or add a > > > delta for now. > > > > > Reason to keep it dpaste.com: > > > > > People have complained that the login requirement makes it unusable for > > > helping Ubuntu users at large who don't necessarily have an Ubuntu SSO > > > account. > > > > > Reason to keep it paste.ubuntu.com: > > > > > I'm not keen on relying on third party services when not necessary, > > > especially ad-supported ones. I have no reason to distrust the current > > > operator, but in general, these things tend to go wrong sooner or later. > > > > > There was more discussion on IRC[2]. > > > > > [1] > > > https://github.com/pastebinit/pastebinit/commit/5c668fb3ed9b4a103eb22b16e603050a539951e0 > > > [2] https://irclogs.ubuntu.com/2024/04/15/%23ubuntu-devel.html#t14:17 > > > > I was not pleased to see the switch to dpaste.com. I've found that it's > > pretty unusable on mobile, and I don't like this pointing to a service we > > don't control. > > > > And if there are issues with the usability of paste.ubuntu.com, uh, we own > > that service? So let's work with our IS team to make it fit for purpose. > > (I don't know why it currently requires a login to *view* paste contents; > > that seems straightforwardly a bug that we should just get sorted.) > > That's because pastebin servers are frequently abused as a way to get > free mass storage. > > It's not very practical to require login to post to a pastebin as the > whole point is for a tool like "pastebinit" to work without needing > user configuration as it's commonly used as a debug tool on cloud > instances and other random servers random than a user's personal > system. > > With that in mind, a bunch of folks noticed that you could abuse a > service like paste.ubuntu.com by pushing large files (base64 encoded > or the like) and then retrieve them with a very trivial amount of html > parsing (if no raw option is offered directly). > > > There are obviously alternatives to this, but they tend to require a > bunch more server side logic, basically trying to find the right set > of restrictions to both poster and reader so that legitimate users can > use the service normally while abusers get sufficiently annoyed to > stay away from it. > > > -- > > Steve Langasek Give me a lever long enough and a Free OS > > Debian Developer to set it on, and I can move the world. > > Ubuntu Developer https://www.debian.org/ > > slanga...@ubuntu.com vor...@debian.org > > -- > > ubuntu-devel mailing list > > ubuntu-devel@lists.ubuntu.com > > Modify settings or unsubscribe at: > > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel > > > > -- > Stéphane > > -- > ubuntu-devel mailing list > ubuntu-devel@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
Sergio Durigan Junior kirjoitti 15.4.2024 klo 20.51: On Monday, April 15 2024, Robie Basak wrote: Reason to keep it dpaste.com: People have complained that the login requirement makes it unusable for helping Ubuntu users at large who don't necessarily have an Ubuntu SSO account. The requirement for login is really a pain. I find myself avoiding paste.ubuntu.com most of the time because of it, especially if I know that the target audience might not even have a Launchpad account. +1 Reason to keep it paste.ubuntu.com: I'm not keen on relying on third party services when not necessary, especially ad-supported ones. I have no reason to distrust the current operator, but in general, these things tend to go wrong sooner or later. dpaste.com also runs a proprietary backend, so I'm -1 on using it. There's dpaste.org, which is FLOSS and doesn't seem to load any ads. dpaste.org seems like a fine alternative, so +1 here too -- t -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
On Tue, 16 Apr 2024 at 14:37, Steve Langasek wrote: > On Mon, Apr 15, 2024 at 04:42:37PM -0400, Stéphane Graber wrote: > > > And if there are issues with the usability of paste.ubuntu.com, uh, > we own > > > that service? So let's work with our IS team to make it fit for > purpose. > > > (I don't know why it currently requires a login to *view* paste > contents; > > > that seems straightforwardly a bug that we should just get sorted.) > > > That's because pastebin servers are frequently abused as a way to get > > free mass storage. > > > It's not very practical to require login to post to a pastebin as the > > whole point is for a tool like "pastebinit" to work without needing > > user configuration as it's commonly used as a debug tool on cloud > > instances and other random servers random than a user's personal > > system. > > > With that in mind, a bunch of folks noticed that you could abuse a > > service like paste.ubuntu.com by pushing large files (base64 encoded > > or the like) and then retrieve them with a very trivial amount of html > > parsing (if no raw option is offered directly). > > > There are obviously alternatives to this, but they tend to require a > > bunch more server side logic, basically trying to find the right set > > of restrictions to both poster and reader so that legitimate users can > > use the service normally while abusers get sufficiently annoyed to > > stay away from it. > > The current behavior of paste.ubuntu.com, and what I assumed was the > driver > for moving away from this as a default, was that it requires a login to > VIEW > the contents of the pastebin. AFAICS this is not justifiable on the basis > of preventing abuse with illicit/illegal pastes, that's already addressed > by > requiring login on the submission side. > I think the current behaviour is to require login for at least one of submission or view, so a paste created while logged in can be viewed anonymously and a paste created anonymously (e.g. by pastebinit, which I don't think supports logging in?) requires a login to view. Cheers, mwh -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
On Mon, Apr 15, 2024 at 04:42:37PM -0400, Stéphane Graber wrote: > > And if there are issues with the usability of paste.ubuntu.com, uh, we own > > that service? So let's work with our IS team to make it fit for purpose. > > (I don't know why it currently requires a login to *view* paste contents; > > that seems straightforwardly a bug that we should just get sorted.) > That's because pastebin servers are frequently abused as a way to get > free mass storage. > It's not very practical to require login to post to a pastebin as the > whole point is for a tool like "pastebinit" to work without needing > user configuration as it's commonly used as a debug tool on cloud > instances and other random servers random than a user's personal > system. > With that in mind, a bunch of folks noticed that you could abuse a > service like paste.ubuntu.com by pushing large files (base64 encoded > or the like) and then retrieve them with a very trivial amount of html > parsing (if no raw option is offered directly). > There are obviously alternatives to this, but they tend to require a > bunch more server side logic, basically trying to find the right set > of restrictions to both poster and reader so that legitimate users can > use the service normally while abusers get sufficiently annoyed to > stay away from it. The current behavior of paste.ubuntu.com, and what I assumed was the driver for moving away from this as a default, was that it requires a login to VIEW the contents of the pastebin. AFAICS this is not justifiable on the basis of preventing abuse with illicit/illegal pastes, that's already addressed by requiring login on the submission side. If requiring authentication on the SUBMISSION side is sufficient reason to change the default pastebin, then that of course isn't something we should second-guess; we don't need to be reinvesting anonymous ftp servers. But in that case, I think there should have been a discussion about who the default behavior is for, because for my part it makes the default behavior much worse. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
On Mon, Apr 15, 2024 at 04:42:37PM -0400, Stéphane Graber wrote: > On Mon, Apr 15, 2024 at 4:14 PM Steve Langasek > wrote: > > And if there are issues with the usability of paste.ubuntu.com, uh, we own > > that service? So let's work with our IS team to make it fit for purpose. > > (I don't know why it currently requires a login to *view* paste contents; > > that seems straightforwardly a bug that we should just get sorted.) > > That's because pastebin servers are frequently abused as a way to get > free mass storage. > > It's not very practical to require login to post to a pastebin as the > whole point is for a tool like "pastebinit" to work without needing > user configuration as it's commonly used as a debug tool on cloud > instances and other random servers random than a user's personal > system. > > With that in mind, a bunch of folks noticed that you could abuse a > service like paste.ubuntu.com by pushing large files (base64 encoded > or the like) and then retrieve them with a very trivial amount of html > parsing (if no raw option is offered directly). I'll add that (from memory) it wasn't just being abused as free mass storage in general, it was very very dodgy stuff that required urgent takedown enforcement. We talked IS down from making it require a login to use the service at all and this was the compromise. -- Colin Watson (he/him) [cjwat...@ubuntu.com] -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
On Mon, Apr 15, 2024 at 4:14 PM Steve Langasek wrote: > > On Mon, Apr 15, 2024 at 04:48:17PM +0100, Robie Basak wrote: > > Prior to Noble, the pastebinit command defaulted to paste.ubuntu.com. In > > Noble, this has changed to dpaste.com due to an upstream change[1]. > > > What do Ubuntu developers think the default should be? If it should > > remain paste.ubuntu.com, we can ask upstream to change it back, or add a > > delta for now. > > > Reason to keep it dpaste.com: > > > People have complained that the login requirement makes it unusable for > > helping Ubuntu users at large who don't necessarily have an Ubuntu SSO > > account. > > > Reason to keep it paste.ubuntu.com: > > > I'm not keen on relying on third party services when not necessary, > > especially ad-supported ones. I have no reason to distrust the current > > operator, but in general, these things tend to go wrong sooner or later. > > > There was more discussion on IRC[2]. > > > [1] > > https://github.com/pastebinit/pastebinit/commit/5c668fb3ed9b4a103eb22b16e603050a539951e0 > > [2] https://irclogs.ubuntu.com/2024/04/15/%23ubuntu-devel.html#t14:17 > > I was not pleased to see the switch to dpaste.com. I've found that it's > pretty unusable on mobile, and I don't like this pointing to a service we > don't control. > > And if there are issues with the usability of paste.ubuntu.com, uh, we own > that service? So let's work with our IS team to make it fit for purpose. > (I don't know why it currently requires a login to *view* paste contents; > that seems straightforwardly a bug that we should just get sorted.) That's because pastebin servers are frequently abused as a way to get free mass storage. It's not very practical to require login to post to a pastebin as the whole point is for a tool like "pastebinit" to work without needing user configuration as it's commonly used as a debug tool on cloud instances and other random servers random than a user's personal system. With that in mind, a bunch of folks noticed that you could abuse a service like paste.ubuntu.com by pushing large files (base64 encoded or the like) and then retrieve them with a very trivial amount of html parsing (if no raw option is offered directly). There are obviously alternatives to this, but they tend to require a bunch more server side logic, basically trying to find the right set of restrictions to both poster and reader so that legitimate users can use the service normally while abusers get sufficiently annoyed to stay away from it. > -- > Steve Langasek Give me a lever long enough and a Free OS > Debian Developer to set it on, and I can move the world. > Ubuntu Developer https://www.debian.org/ > slanga...@ubuntu.com vor...@debian.org > -- > ubuntu-devel mailing list > ubuntu-devel@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel -- Stéphane -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
On Mon, Apr 15, 2024 at 04:48:17PM +0100, Robie Basak wrote: > Prior to Noble, the pastebinit command defaulted to paste.ubuntu.com. In > Noble, this has changed to dpaste.com due to an upstream change[1]. > What do Ubuntu developers think the default should be? If it should > remain paste.ubuntu.com, we can ask upstream to change it back, or add a > delta for now. > Reason to keep it dpaste.com: > People have complained that the login requirement makes it unusable for > helping Ubuntu users at large who don't necessarily have an Ubuntu SSO > account. > Reason to keep it paste.ubuntu.com: > I'm not keen on relying on third party services when not necessary, > especially ad-supported ones. I have no reason to distrust the current > operator, but in general, these things tend to go wrong sooner or later. > There was more discussion on IRC[2]. > [1] > https://github.com/pastebinit/pastebinit/commit/5c668fb3ed9b4a103eb22b16e603050a539951e0 > [2] https://irclogs.ubuntu.com/2024/04/15/%23ubuntu-devel.html#t14:17 I was not pleased to see the switch to dpaste.com. I've found that it's pretty unusable on mobile, and I don't like this pointing to a service we don't control. And if there are issues with the usability of paste.ubuntu.com, uh, we own that service? So let's work with our IS team to make it fit for purpose. (I don't know why it currently requires a login to *view* paste contents; that seems straightforwardly a bug that we should just get sorted.) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: pastebinit default target on Ubuntu
On Monday, April 15 2024, Robie Basak wrote: > Reason to keep it dpaste.com: > > People have complained that the login requirement makes it unusable for > helping Ubuntu users at large who don't necessarily have an Ubuntu SSO > account. The requirement for login is really a pain. I find myself avoiding paste.ubuntu.com most of the time because of it, especially if I know that the target audience might not even have a Launchpad account. > Reason to keep it paste.ubuntu.com: > > I'm not keen on relying on third party services when not necessary, > especially ad-supported ones. I have no reason to distrust the current > operator, but in general, these things tend to go wrong sooner or later. dpaste.com also runs a proprietary backend, so I'm -1 on using it. There's dpaste.org, which is FLOSS and doesn't seem to load any ads. Thanks, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
pastebinit default target on Ubuntu
Hi, Prior to Noble, the pastebinit command defaulted to paste.ubuntu.com. In Noble, this has changed to dpaste.com due to an upstream change[1]. What do Ubuntu developers think the default should be? If it should remain paste.ubuntu.com, we can ask upstream to change it back, or add a delta for now. Reason to keep it dpaste.com: People have complained that the login requirement makes it unusable for helping Ubuntu users at large who don't necessarily have an Ubuntu SSO account. Reason to keep it paste.ubuntu.com: I'm not keen on relying on third party services when not necessary, especially ad-supported ones. I have no reason to distrust the current operator, but in general, these things tend to go wrong sooner or later. There was more discussion on IRC[2]. [1] https://github.com/pastebinit/pastebinit/commit/5c668fb3ed9b4a103eb22b16e603050a539951e0 [2] https://irclogs.ubuntu.com/2024/04/15/%23ubuntu-devel.html#t14:17 signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel