[PATCH 2/4] httpd: Don't add Date header to response

[Sergey Ponomarev]

In RFC 2616 sec. 14.18 said that sever MUST send Date header.
But in fact the header have sense only for Cache-Control and can be omitted.
In the same time the Date eats power, CPU and network resources which are 
critical for embedded systems.

Signed-off-by: Sergey Ponomarev 
---
 networking/httpd.c | 20 +++-
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/networking/httpd.c b/networking/httpd.c
index 9141442c8..7a429d2b5 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -214,6 +214,14 @@
 //config:  help
 //config:  Makes httpd send files using GZIP content encoding if the
 //config:  client supports it and a pre-compressed .gz exists.
+//config:
+//config:config FEATURE_HTTPD_DATE
+//config:  bool "Add Date header to response"
+//config:  default y
+//config:  depends on HTTPD
+//config:  help
+//config:  RFC2616 says that sever MUST add Date header to response.
+//config:  But it is almost useless and can be omitted.
 
 //applet:IF_HTTPD(APPLET(httpd, BB_DIR_USR_SBIN, BB_SUID_DROP))
 
@@ -1071,16 +1079,18 @@ static void send_headers(unsigned responseNum)
 * always fit into those kbytes.
 */
 
-   strftime(date_str, sizeof(date_str), RFC1123FMT, gmtime_r(&timer, &tm));
-   /* ^^^ using gmtime_r() instead of gmtime() to not use static data */
len = sprintf(iobuf,
"HTTP/1.1 %u %s\r\n"
-   "Date: %s\r\n"
"Connection: close\r\n",
-   responseNum, responseString,
-   date_str
+   responseNum, responseString
);
 
+#if ENABLE_FEATURE_HTTPD_DATE
+   strftime(date_str, sizeof(date_str), RFC1123FMT, gmtime_r(&timer, &tm));
+   /* ^^^ using gmtime_r() instead of gmtime() to not use static data */
+   len += sprintf(iobuf + len, "Date: %s\r\n", date_str);
+#endif
+
if (responseNum != HTTP_OK || found_mime_type) {
len += sprintf(iobuf + len,
"Content-type: %s\r\n",
-- 
2.25.1

___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Re: [PATCH 2/4] httpd: Don't add Date header to response

[Denys Vlasenko]

On Sun, Aug 9, 2020 at 12:24 AM Sergey Ponomarev  wrote:
> @@ -1071,16 +1079,18 @@ static void send_headers(unsigned responseNum)
>  * always fit into those kbytes.
>  */
>
> -   strftime(date_str, sizeof(date_str), RFC1123FMT, gmtime_r(&timer, 
> &tm));
> -   /* ^^^ using gmtime_r() instead of gmtime() to not use static data */
> len = sprintf(iobuf,
> "HTTP/1.1 %u %s\r\n"
> -   "Date: %s\r\n"
> "Connection: close\r\n",
> -   responseNum, responseString,
> -   date_str
> +   responseNum, responseString
> );
>
> +#if ENABLE_FEATURE_HTTPD_DATE
> +   strftime(date_str, sizeof(date_str), RFC1123FMT, gmtime_r(&timer, 
> &tm));
> +   /* ^^^ using gmtime_r() instead of gmtime() to not use static data */
> +   len += sprintf(iobuf + len, "Date: %s\r\n", date_str);
> +#endif
> +

This increases code size when FEATURE_HTTPD_DATE=y
(IOW: when functionality does not change)
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Re: [PATCH 2/4] httpd: Don't add Date header to response

[Sergey Ponomarev]

yes, but simplifies code. I think that for those who are concerned with one
additional sprintf call can just disable the header.

On Sun, 16 Aug 2020 at 00:07, Denys Vlasenko 
wrote:

> On Sun, Aug 9, 2020 at 12:24 AM Sergey Ponomarev 
> wrote:
> > @@ -1071,16 +1079,18 @@ static void send_headers(unsigned responseNum)
> >  * always fit into those kbytes.
> >  */
> >
> > -   strftime(date_str, sizeof(date_str), RFC1123FMT,
> gmtime_r(&timer, &tm));
> > -   /* ^^^ using gmtime_r() instead of gmtime() to not use static
> data */
> > len = sprintf(iobuf,
> > "HTTP/1.1 %u %s\r\n"
> > -   "Date: %s\r\n"
> > "Connection: close\r\n",
> > -   responseNum, responseString,
> > -   date_str
> > +   responseNum, responseString
> > );
> >
> > +#if ENABLE_FEATURE_HTTPD_DATE
> > +   strftime(date_str, sizeof(date_str), RFC1123FMT,
> gmtime_r(&timer, &tm));
> > +   /* ^^^ using gmtime_r() instead of gmtime() to not use static
> data */
> > +   len += sprintf(iobuf + len, "Date: %s\r\n", date_str);
> > +#endif
> > +
>
> This increases code size when FEATURE_HTTPD_DATE=y
> (IOW: when functionality does not change)
>


-- 
Sergey Ponomarev , skype:stokito
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Re: [PATCH 2/4] httpd: Don't add Date header to response

[Guillermo Rodriguez Garcia]

Just for the record, I think that it is not correct to say that the
Date header only makes sense for Cache-Control.
There might be other uses for it; for example I have seen clients set
the local date from there when ntp was not available.
There could be other uses too; there is no way to know what people is
using it for since it is mandated by RFC2616 and thus can be assumed
to be always there.

Guillermo

El dom., 9 ago. 2020 a las 0:24, Sergey Ponomarev
() escribió:
>
> In RFC 2616 sec. 14.18 said that sever MUST send Date header.
> But in fact the header have sense only for Cache-Control and can be omitted.
> In the same time the Date eats power, CPU and network resources which are 
> critical for embedded systems.
>
> Signed-off-by: Sergey Ponomarev 
> ---
>  networking/httpd.c | 20 +++-
>  1 file changed, 15 insertions(+), 5 deletions(-)
>
> diff --git a/networking/httpd.c b/networking/httpd.c
> index 9141442c8..7a429d2b5 100644
> --- a/networking/httpd.c
> +++ b/networking/httpd.c
> @@ -214,6 +214,14 @@
>  //config:  help
>  //config:  Makes httpd send files using GZIP content encoding if the
>  //config:  client supports it and a pre-compressed .gz exists.
> +//config:
> +//config:config FEATURE_HTTPD_DATE
> +//config:  bool "Add Date header to response"
> +//config:  default y
> +//config:  depends on HTTPD
> +//config:  help
> +//config:  RFC2616 says that sever MUST add Date header to response.
> +//config:  But it is almost useless and can be omitted.
>
>  //applet:IF_HTTPD(APPLET(httpd, BB_DIR_USR_SBIN, BB_SUID_DROP))
>
> @@ -1071,16 +1079,18 @@ static void send_headers(unsigned responseNum)
>  * always fit into those kbytes.
>  */
>
> -   strftime(date_str, sizeof(date_str), RFC1123FMT, gmtime_r(&timer, 
> &tm));
> -   /* ^^^ using gmtime_r() instead of gmtime() to not use static data */
> len = sprintf(iobuf,
> "HTTP/1.1 %u %s\r\n"
> -   "Date: %s\r\n"
> "Connection: close\r\n",
> -   responseNum, responseString,
> -   date_str
> +   responseNum, responseString
> );
>
> +#if ENABLE_FEATURE_HTTPD_DATE
> +   strftime(date_str, sizeof(date_str), RFC1123FMT, gmtime_r(&timer, 
> &tm));
> +   /* ^^^ using gmtime_r() instead of gmtime() to not use static data */
> +   len += sprintf(iobuf + len, "Date: %s\r\n", date_str);
> +#endif
> +
> if (responseNum != HTTP_OK || found_mime_type) {
> len += sprintf(iobuf + len,
> "Content-type: %s\r\n",
> --
> 2.25.1
>
> ___
> busybox mailing list
> busybox@busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox



--
Guillermo Rodriguez Garcia
guille.rodrig...@gmail.com
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Re: [PATCH 2/4] httpd: Don't add Date header to response

[Sergey Ponomarev]

> I have seen clients set the local date from there when ntp was not
available.

I'm just curious, could you please provide more details. What was the type
of clients? Embedded devices or something else.
Why wasn't ntp available for them? How often does this happen in the wild?
Can clients fetch the date from some website on the internet?
Anyways this is a hack but if someone really needs and control webserver
then it they can use a CGI script:

#!/bin/sh
# RFC date must have GMT in the end
# but GNU date return + instead and bb date returns UTC
# So we must strip + or UTC and add GMT ourselves
DATE=$(date -R -u | sed 's/\UTC//g' | sed 's/\+//g')
DATE="${DATE}GMT"
echo "Date: $DATE";
echo "Status: 200";
echo "";

Just put the script to /cgi-bin/date.sh and call it like
curl http://localhost:8080/cgi-bin/date.sh -v
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /cgi-bin/date.sh HTTP/1.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 29 Aug 2020 19:32:21 GMT
< Status: 200

And BTW as you might notice the date command in BB looks like broken: it
should return date like:
$ date -R -u
Sat, 29 Aug 2020 19:34:38 +

but it returns
$ busybox date -R -u
Sat, 29 Aug 2020 19:35:12 UTC

IMHO BB date works correctly but to keep compatibility with GNU date
probably it should be changed





On Tue, 25 Aug 2020 at 11:54, Guillermo Rodriguez Garcia <
guille.rodrig...@gmail.com> wrote:

> Just for the record, I think that it is not correct to say that the
> Date header only makes sense for Cache-Control.
> There might be other uses for it; for example I have seen clients set
> the local date from there when ntp was not available.
> There could be other uses too; there is no way to know what people is
> using it for since it is mandated by RFC2616 and thus can be assumed
> to be always there.
>
> Guillermo
>
> El dom., 9 ago. 2020 a las 0:24, Sergey Ponomarev
> () escribió:
> >
> > In RFC 2616 sec. 14.18 said that sever MUST send Date header.
> > But in fact the header have sense only for Cache-Control and can be
> omitted.
> > In the same time the Date eats power, CPU and network resources which
> are critical for embedded systems.
> >
> > Signed-off-by: Sergey Ponomarev 
> > ---
> >  networking/httpd.c | 20 +++-
> >  1 file changed, 15 insertions(+), 5 deletions(-)
> >
> > diff --git a/networking/httpd.c b/networking/httpd.c
> > index 9141442c8..7a429d2b5 100644
> > --- a/networking/httpd.c
> > +++ b/networking/httpd.c
> > @@ -214,6 +214,14 @@
> >  //config:  help
> >  //config:  Makes httpd send files using GZIP content encoding if the
> >  //config:  client supports it and a pre-compressed .gz exists.
> > +//config:
> > +//config:config FEATURE_HTTPD_DATE
> > +//config:  bool "Add Date header to response"
> > +//config:  default y
> > +//config:  depends on HTTPD
> > +//config:  help
> > +//config:  RFC2616 says that sever MUST add Date header to response.
> > +//config:  But it is almost useless and can be omitted.
> >
> >  //applet:IF_HTTPD(APPLET(httpd, BB_DIR_USR_SBIN, BB_SUID_DROP))
> >
> > @@ -1071,16 +1079,18 @@ static void send_headers(unsigned responseNum)
> >  * always fit into those kbytes.
> >  */
> >
> > -   strftime(date_str, sizeof(date_str), RFC1123FMT,
> gmtime_r(&timer, &tm));
> > -   /* ^^^ using gmtime_r() instead of gmtime() to not use static
> data */
> > len = sprintf(iobuf,
> > "HTTP/1.1 %u %s\r\n"
> > -   "Date: %s\r\n"
> > "Connection: close\r\n",
> > -   responseNum, responseString,
> > -   date_str
> > +   responseNum, responseString
> > );
> >
> > +#if ENABLE_FEATURE_HTTPD_DATE
> > +   strftime(date_str, sizeof(date_str), RFC1123FMT,
> gmtime_r(&timer, &tm));
> > +   /* ^^^ using gmtime_r() instead of gmtime() to not use static
> data */
> > +   len += sprintf(iobuf + len, "Date: %s\r\n", date_str);
> > +#endif
> > +
> > if (responseNum != HTTP_OK || found_mime_type) {
> > len += sprintf(iobuf + len,
> > "Content-type: %s\r\n",
> > --
> > 2.25.1
> >
> > ___
> > busybox mailing list
> > busybox@busybox.net
> > http://lists.busybox.net/mailman/listinfo/busybox
>
>
>
> --
> Guillermo Rodriguez Garcia
> guille.rodrig...@gmail.com
>


-- 
Sergey Ponomarev , skype:stokito
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Re: [PATCH 2/4] httpd: Don't add Date header to response

[Guillermo Rodriguez Garcia]

Hi,

El sáb., 29 ago. 2020 a las 21:37, Sergey Ponomarev
() escribió:
>
> > I have seen clients set the local date from there when ntp was not 
> > available.
>
> I'm just curious, could you please provide more details. What was the type of 
> clients? Embedded devices or something else.

Embedded devices.

> Why wasn't ntp available for them? How often does this happen in the wild?

Not sure. Some examples:

https://www.snbforums.com/threads/ntp-blocked-alternatives-to-ntpd-for-updating-time.46541/page-3#post-404882
https://askubuntu.com/questions/1035525/set-date-and-time-from-http-header-in-router-with-curl-or-wget

> Can clients fetch the date from some website on the internet?
> Anyways this is a hack but if someone really needs and control webserver then 
> it they can use a CGI script:

Well, that's the problem; this only works if you control *both* the
server (so you can setup a script) and the client.

But clients that you don't control may just assume that the Date
header is present (since it is mandated by RFC2616) and disabling this
would break them.

Guillermo Rodriguez Garcia
guille.rodrig...@gmail.com
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Re: [PATCH 2/4] httpd: Don't add Date header to response

[Bernd Petrovitsch]

Hi all!

On Mon, 2020-08-31 at 09:53 +0200, Guillermo Rodriguez Garcia wrote:
[...]
> El sáb., 29 ago. 2020 a las 21:37, Sergey Ponomarev
> () escribió:
> > > I have seen clients set the local date from there when ntp was not 
> > > available.
> > 
> > I'm just curious, could you please provide more details. What was the type 
> > of clients? Embedded devices or something else.
> 
> Embedded devices.

Perhaps it makes sense to check which is the smallest
Only-NTP-Client implementation.

> > Why wasn't ntp available for them? How often does this happen in the wild?
> 
> Not sure. Some examples:
> 
> https://www.snbforums.com/threads/ntp-blocked-alternatives-to-ntpd-for-updating-time.46541/page-3#post-404882
> https://askubuntu.com/questions/1035525/set-date-and-time-from-http-header-in-router-with-curl-or-wget

There's a lot of unnecessary fork+exec in these (so-called) "solutions" (and
in the thread above also).
fork+exec is pretty heavy weight and slow on average/typical embedded devices.

And thus it's not really that exact (which may be no issue - dependeing
on the application).

I haven't tried but most - if not all - can be easily replaced with "pure dash".

[...]
> But clients that you don't control may just assume that the Date
> header is present (since it is mandated by RFC2616) and disabling this
> would break them.

Well, if the header is required by a standard 

MfG,
Bernd
-- 
Bernd Petrovitsch  Email : be...@petrovitsch.priv.at
There is no cloud, just other people computers. - FSFE
 LUGA : http://www.luga.at


___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Re: [PATCH 2/4] httpd: Don't add Date header to response

[Sergey Ponomarev]

Thank you guys for your inputs.
I checked all links and it looks like few years ago there was some breach
in NTP daemons so some ISP disabled it.
It looks like almost everyone just called 1.1.1.1 or google.com. So it not
necessary should be a router or embedded device.
Given how small is amount of such users and only part of them probably may
not have an Internet access and even server access I think we are safe here.

> fork+exec is pretty heavy

Yes but such calls are not expected to be so intensive: maybe just once per
day per client.

BTW the more real problem is with httpd_indexcgi.c which provides directory
listing as a CGI script. All other web servers have a built-in listing.

Speaking about that Date is required by RFC: I sent an email to HTTP WG
https://lists.w3.org/Archives/Public/ietf-http-wg/2020JulSep/0142.html

Anyway, the Date header is still compiled by default but those who don't
need it may disable it.




On Mon, 31 Aug 2020 at 11:25, Bernd Petrovitsch 
wrote:

> Hi all!
>
> On Mon, 2020-08-31 at 09:53 +0200, Guillermo Rodriguez Garcia wrote:
> [...]
> > El sáb., 29 ago. 2020 a las 21:37, Sergey Ponomarev
> > () escribió:
> > > > I have seen clients set the local date from there when ntp was not
> available.
> > >
> > > I'm just curious, could you please provide more details. What was the
> type of clients? Embedded devices or something else.
> >
> > Embedded devices.
>
> Perhaps it makes sense to check which is the smallest
> Only-NTP-Client implementation.
>
> > > Why wasn't ntp available for them? How often does this happen in the
> wild?
> >
> > Not sure. Some examples:
> >
> >
> https://www.snbforums.com/threads/ntp-blocked-alternatives-to-ntpd-for-updating-time.46541/page-3#post-404882
> >
> https://askubuntu.com/questions/1035525/set-date-and-time-from-http-header-in-router-with-curl-or-wget
>
> There's a lot of unnecessary fork+exec in these (so-called) "solutions"
> (and
> in the thread above also).
> fork+exec is pretty heavy weight and slow on average/typical embedded
> devices.
>
> And thus it's not really that exact (which may be no issue - dependeing
> on the application).
>
> I haven't tried but most - if not all - can be easily replaced with "pure
> dash".
>
> [...]
> > But clients that you don't control may just assume that the Date
> > header is present (since it is mandated by RFC2616) and disabling this
> > would break them.
>
> Well, if the header is required by a standard 
>
> MfG,
> Bernd
> --
> Bernd Petrovitsch  Email : be...@petrovitsch.priv.at
> There is no cloud, just other people computers. - FSFE
>  LUGA : http://www.luga.at
>
>
> ___
> busybox mailing list
> busybox@busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
>


-- 
Sergey Ponomarev , skype:stokito
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

AW: [PATCH 2/4] httpd: Don't add Date header to response

[Walter Harms]

> Why wasn't ntp available for them? How often does this happen in the wild?

this can happen when you have a remote station with temporally no reception.
E.G. our station have a sanity check for the time and will not start if the 
date is
not set manually.

jm2c

Von: busybox [busybox-boun...@busybox.net] im Auftrag von Guillermo Rodriguez 
Garcia [guille.rodrig...@gmail.com]
Gesendet: Montag, 31. August 2020 09:53
An: Sergey Ponomarev
Cc: busybox
Betreff: Re: [PATCH 2/4] httpd: Don't add Date header to response

Hi,

El sáb., 29 ago. 2020 a las 21:37, Sergey Ponomarev
() escribió:
>
> > I have seen clients set the local date from there when ntp was not 
> > available.
>
> I'm just curious, could you please provide more details. What was the type of 
> clients? Embedded devices or something else.

Embedded devices.

> Why wasn't ntp available for them? How often does this happen in the wild?

Not sure. Some examples:

https://www.snbforums.com/threads/ntp-blocked-alternatives-to-ntpd-for-updating-time.46541/page-3#post-404882
https://askubuntu.com/questions/1035525/set-date-and-time-from-http-header-in-router-with-curl-or-wget

> Can clients fetch the date from some website on the internet?
> Anyways this is a hack but if someone really needs and control webserver then 
> it they can use a CGI script:

Well, that's the problem; this only works if you control *both* the
server (so you can setup a script) and the client.

But clients that you don't control may just assume that the Date
header is present (since it is mandated by RFC2616) and disabling this
would break them.

Guillermo Rodriguez Garcia
guille.rodrig...@gmail.com
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Re: [PATCH 2/4] httpd: Don't add Date header to response

[Bernd Petrovitsch]

Hi all!

On Mon, 2020-08-31 at 18:20 +0300, Sergey Ponomarev wrote:
[...]
> I checked all links and it looks like few years ago there was some breach
> in NTP daemons so some ISP disabled it.

Hmm, if ISPs would disable complete services (and nowadays
IMHO essential) if there is "some breach in it", that would
be "interesting" 

> It looks like almost everyone just called 1.1.1.1 or google.com. So it not
> necessary should be a router or embedded device.

For SO and similar, I probably would use that too.
For a serious, professional implementation, all of them are
total no-gos:
- it requires a (DNS) "connection" to the Internet. Not all have
  (or want ) that - especially in the embedded world.
- and Google or whoever gets something to know which is none of
  there business (from the clients side;-).
- the latency and Internet-bandwidth waste is in ANYCAST times
  probably not the real big problem 

> Given how small is amount of such users and only part of them probably may
> not have an Internet access and even server access I think we are safe here.

- and last but not least: better you use a web server you really
  trust for that info.

> > fork+exec is pretty heavy
> 
> Yes but such calls are not expected to be so intensive: maybe just once per
> day per client.

For "once per day" it doesn't matter (probably;-).
Chances are (and my professional experience supports that) that
lots (if not all) of the other shell scripts - especially
CGI-scripts - look quite similar[0][1].
In the real world I would have a comment at the top of "run
once a day script" like "this is run once a day - don't care
about performance" or similar.

> BTW the more real problem is with httpd_indexcgi.c which provides directory
> listing as a CGI script. All other web servers have a built-in listing.

Yes, but have have to activate it or can deactivate it. IMHO
it's more convenience than anything else ...

> Speaking about that Date is required by RFC: I sent an email to HTTP WG
> https://lists.w3.org/Archives/Public/ietf-http-wg/2020JulSep/0142.html
> 
> Anyway, the Date header is still compiled by default but those who don't
> need it may disable it.

Thanks for checking that out!
[ X ] Like!
Having an option too easily get it out is double-plus-good!


MfG,
Bernd

[0]: Don't get me wrong - I started the same in "shell
 scripting" with grep/sort/cut/join/... on real PCs.
 But after years on 25MHz PPC (or similar) CPUs (year
 2000+ and later), it's pretty different 
[1]: And some old-school web interface with 3 frames and
 all of them start some CGI script 
-- 
Bernd Petrovitsch  Email : be...@petrovitsch.priv.at
There is no cloud, just other people computers. - FSFE
 LUGA : http://www.luga.at


___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Re: [PATCH 2/4] httpd: Don't add Date header to response

[Guillermo Rodriguez Garcia]

Hi Sergey,

I think you are missing my point.
What I provided are examples only. You looked at these and concluded
that this specific case was due to ISPs disabling NTP a few years ago,
and also concluded that this only affected a "small amount of users"
(not sure how you reached this conclusion) and thus "we are safe
here".

But that is not the point. The point is that since the Date header is
mandated by the RFC, clients may (rightfully) rely on it being there,
and may be using it in ways that you are not aware of. Your initial
analysis where the Date header is "only useful for caching" is
incomplete. Regardless of what was the initial rationale for including
this header, the fact is that you do not (and cannot) know how people
may actually be using it.

I think disabling this is a bad idea. Regarding this:

> Anyway, the Date header is still compiled by default but those who don't need 
> it may disable it.

Yes but the help text should make it clear that disabling this may
break clients.
The help text you added says that the header is mandatory according to
the RFC, but that "it is almost useless and can be omitted". The
latter statement is not based on facts, but just your personal
opinion.

Guillermo Rodriguez Garcia
guille.rodrig...@gmail.com
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox