Re: lynx is gone?
On Fri, Mar 06, 2015 at 11:01:50PM GMT, worik wrote: > On 07/03/15 11:59, worik wrote: > > On 06/03/15 22:29, Raf Czlonka wrote: > >>> By the way, is there a list a common risk-prone idioms ? > >> +1 > > > > https://duckduckgo.com/?q=%22common+risk-prone+idioms%22&t=canonical > > > > "common risk-prone idioms" appears only here. > > > > Interesting concept, and would be illuminating to expand on > > Sigh! If I had read *all* the thread before replying I would have seen > some illumination. Nice It's usually a good idea to read the whole thread to which one is about to reply :^) Raf
Re: lynx is gone?
On Fri, Mar 06, 2015 at 06:29:13PM GMT, Jason Adams wrote: > Agreed, asking someone to prove a negative (no possible bugs) is an That's *positive*, isn't it? > impossibly high standard to expect of someone, and probably NOT one > that Theo would want to impose on any project, including Openbsd. > > Its far easier for Ingo to cite the already discovered list of bugs > and faults that caused the the removal of lynx.. We weren't talking about 'lynx'. > > That being said: > It seems to me that the quoted text in your message suggests to me > that Ingo was asking for specifics about the quality of sqlite. That > seems like a reasonable request to me. Ingo wasn't asking - he was *being* asked. Please re-read the thread. Raf
Re: lynx is gone?
On 07/03/15 11:59, worik wrote: > On 06/03/15 22:29, Raf Czlonka wrote: >>> By the way, is there a list a common risk-prone idioms ? >> +1 > > https://duckduckgo.com/?q=%22common+risk-prone+idioms%22&t=canonical > > "common risk-prone idioms" appears only here. > > Interesting concept, and would be illuminating to expand on Sigh! If I had read *all* the thread before replying I would have seen some illumination. Nice W -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: lynx is gone?
On 06/03/15 22:29, Raf Czlonka wrote: >> By the way, is there a list a common risk-prone idioms ? > +1 https://duckduckgo.com/?q=%22common+risk-prone+idioms%22&t=canonical "common risk-prone idioms" appears only here. Interesting concept, and would be illuminating to expand on W -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: lynx is gone?
> That being said: > It seems to me that the quoted text in your message suggests to me that > Ingo was asking for specifics about the quality of sqlite. That seems > like a reasonable request to me. Discussing something does not change it. A review of libsqlite source code will demonstrate that it is written using many old practices of coping with "older systems". Many of the same techniques that caused unneccessary risk in OpenSSL. I'm not bringing up OpenSSL for drama. When software uses many practices to support .01% of users, the other 99.9% of users accumulate those risks too. Those kinds of coding practices are widespread in many codebases, which sometimes have unfortunately risen to the top of the pack of choice. Unfortunately many such projects lack developer bandwidth or initiative for re-evaluation and moving to newer practices. This is not a condemnation, just an observation. In general OpenBSD has avoided such upstream software packages. Another example here is unbound and nsd, which do not use the kernel random-port selection mechanism. Instead, it uses a portable method for random port selection, which comes with some significant downsides. Upstream software sometimes comes with downsides. Can't help it, and often we fork. But this really is not a mailing list of people who read the actual source code, is it... so what was the discussion about again? Simple "I want something you don't give me" rage?
Re: lynx is gone?
On 03/05/2015 02:13 PM, Raf Czlonka wrote: > On Thu, Mar 05, 2015 at 08:24:47PM GMT, Theo de Raadt wrote: >>> Ingo, >>> >>> On Mar 05 18:11:31, schwa...@usta.de wrote: By the way, lynx(1) removal doesn't really hurt that much. Rotten code that will hurt more when it will finally be deleted includes, for example, the sqlite3(1) library and file(1). >>> can you please elaborate on what's rotten in sqlite? >> Jan, can you please start from the other end, and provide evidence >> that the code is of the highest possible quality? > Hi Theo, > > Based on the above, Jan hadn't made any such claims so no evidence is > required. He only asked Ingo to support *his* claim - more info, for > mere reference, if nothing else, would be greatly appreciated. :^) > > Cheers, > > Raf > Agreed, asking someone to prove a negative (no possible bugs) is an impossibly high standard to expect of someone, and probably NOT one that Theo would want to impose on any project, including Openbsd. Its far easier for Ingo to cite the already discovered list of bugs and faults that caused the the removal of lynx.. That being said: It seems to me that the quoted text in your message suggests to me that Ingo was asking for specifics about the quality of sqlite. That seems like a reasonable request to me. -- Those who do not understand Unix are condemned to reinvent it, poorly.
Re: lynx is gone?
Hi Thomas, Thomas Schmidt wrote on Fri, Mar 06, 2015 at 03:30:56PM +0100: > On Thu, Mar 05, 2015 at 08:03:36PM -0700, Theo de Raadt wrote: >> somebody wrote: >>> On Thu, Mar 5, 2015 at 9:32 PM, Theo de Raadt wrote: Never know. OpenBSD is not generally known as an exposed democracy. >>>This made me chuckle out loud :) >> Well, it makes me laugh out loud too. >> >> We are succesfully making good software, using a scheme called >> undemocratic. >> >> How un-American of us. >> >> Laughing again? You must be a terrorist. > I'm sure someone already made this joke, but here it goes: > You could pretty much call this system a Theocracy. With the subtle difference that gods usually suffer from a nasty habit of messing with everything, are obsessed with wanting to know everything, and voluntarily misdesign the system to be essentially incomprehensible by mortals - while Theo doesn't mess with what he doesn't understand but instists that each part be as easy to understand as possible, even where he doesn't personally spend the time to do so. Besides, parts of OpenBSD could more fittingly be descibed as marcracies, miocracies, jasocracies, matthieucracies, kencracies, nicracies, and so on. As a matter of fact, there are at least two distinct nicracies, twice as many as theocracies. In german, you would call that eine Machtfrage: Wer macht's? ;-) Ingo
Re: lynx is gone?
On Thu, Mar 05, 2015 at 08:03:36PM -0700, Theo de Raadt wrote: > >On Thu, Mar 5, 2015 at 9:32 PM, Theo de Raadt > >wrote: > > > >> > >> Never know. OpenBSD is not generally known as an exposed democracy. > >> > > > >This made me chuckle out loud :) > > Well, it makes me laugh out loud too. > > We are succesfully making good software, using a scheme called > undemocratic. > > How un-American of us. > > Laughing again? You must be a terrorist. > I'm sure someone already made this joke, but here it goes: You could pretty much call this system a Theocracy.
Re: lynx is gone?
On Fri, Mar 06, 2015 at 10:15:30AM GMT, Marc Espie wrote: > On Thu, Mar 05, 2015 at 09:20:23PM +0100, Jan Stary wrote: > > Ingo, > > > > On Mar 05 18:11:31, schwa...@usta.de wrote: > > > By the way, lynx(1) removal doesn't really hurt that much. > > > Rotten code that will hurt more when it will finally be deleted > > > includes, for example, the sqlite3(1) library and file(1). > > > > can you please elaborate on what's rotten in sqlite? > > It is partly a cultural thingy, and a question of priorities. > The guy (guys?) who writes sqlite is a very good developer, but he > does not have security as a top priority. His top priorities are speed > and portability. > > As far as I can gather, he mostly gets away with it because he is very > very good at writing algorithmic code. > > Of course, when you look at his code with the mindset of the typical > openbsd developer, things appear different. > - he has lots of compatibility cruft which makes us cringe (utility functions > that supplement the libc, but without any specific concerns to use secure > apis). > - he uses idioms that we do know to be somewhat dangerous unless one is > very careful (manual length computations) > - he uses idims that somewhat negate some of the mitigation techniques the > OS provides (memory management). I think this is the info Jan and myself were looking for :^) > All of that is the first thing people like Theo notice... Well, most of us don't - hence the very existence of misc@ ;^) > So sqlite has a basis for improvement. I haven't the faintest idea how to go > about educating its main author. Especially since there is a lot of work > to improve this code, and also because this includes breaking the API. > > > Note that the same thing can be said for over 90% of the code base > that didn't originate in OpenBSD. > Having spent more than enough time looking at external code (I'm blind! > such horrible, horrible code), I can say that sqlite is less worse than > most of the code out there (compare with glib2/3, for instance, as a case > of code where you can't figure out what goes wrong when things go wrong). > You also have to keep in mind that it's mostly a one-man team doing the > development... but yeah, it's not perfect. > > if some guys with people skills want to talk to sqlite's author about changing > his ways, feel free to do so. I guess it's mostly a question of educating > him, which definitely doesn't start by saying his code is crap. :) I guess it's not only the people skills but a combination of both that *and* great coding skills - the two do not necessarily go hand in hand :^P Marc, thank you for taking the time to elaborate. Best regards, Raf
Re: lynx is gone?
On Thu, Mar 05, 2015 at 09:20:23PM +0100, Jan Stary wrote: > Ingo, > > On Mar 05 18:11:31, schwa...@usta.de wrote: > > By the way, lynx(1) removal doesn't really hurt that much. > > Rotten code that will hurt more when it will finally be deleted > > includes, for example, the sqlite3(1) library and file(1). > > can you please elaborate on what's rotten in sqlite? It is partly a cultural thingy, and a question of priorities. The guy (guys?) who writes sqlite is a very good developer, but he does not have security as a top priority. His top priorities are speed and portability. As far as I can gather, he mostly gets away with it because he is very very good at writing algorithmic code. Of course, when you look at his code with the mindset of the typical openbsd developer, things appear different. - he has lots of compatibility cruft which makes us cringe (utility functions that supplement the libc, but without any specific concerns to use secure apis). - he uses idioms that we do know to be somewhat dangerous unless one is very careful (manual length computations) - he uses idims that somewhat negate some of the mitigation techniques the OS provides (memory management). All of that is the first thing people like Theo notice... So sqlite has a basis for improvement. I haven't the faintest idea how to go about educating its main author. Especially since there is a lot of work to improve this code, and also because this includes breaking the API. Note that the same thing can be said for over 90% of the code base that didn't originate in OpenBSD. Having spent more than enough time looking at external code (I'm blind! such horrible, horrible code), I can say that sqlite is less worse than most of the code out there (compare with glib2/3, for instance, as a case of code where you can't figure out what goes wrong when things go wrong). You also have to keep in mind that it's mostly a one-man team doing the development... but yeah, it's not perfect. if some guys with people skills want to talk to sqlite's author about changing his ways, feel free to do so. I guess it's mostly a question of educating him, which definitely doesn't start by saying his code is crap. :)
Re: lynx is gone?
On Fri, Mar 06, 2015 at 09:14:07AM GMT, ludovic coues wrote: > I believe Theo already told what's wrong with SQLite. His words were > "The code uses risk-prone idioms." if I'm not mistaken. He had, indeed, in a reply to Marc's email - I was replying to his earlier email so hadn't seen that one yet. Besides, initially Jan asked Ingo to expand on the subject and it would be nice to "hear" it from him - as I've mentioned before, Marc and Stefan weren't *that* strongly concerned about it so, as you can see, opinions vary and it would be still nice to know what Ingo had in mind :^) > A lot of arguments advanced to keep lynx where basically "don't act > unless there is a security issue". From what I see, OpenBSD dev act > against code which might be source of issue. That's why there is so > few vulnerabilities in base. The bad code was already gone when those > are found in other OS. The question was about 'sqlite' - we hadn't mentioned anything about 'lynx'. On reflection, this probably wasn't the best thread to ask more questions, in ;^) > By the way, is there a list a common risk-prone idioms ? +1 Cheers, Raf
Re: lynx is gone?
2015-03-06 9:58 GMT+01:00 Raf Czlonka : > On Fri, Mar 06, 2015 at 02:13:59AM GMT, Theo de Raadt wrote: > >> >On Thu, Mar 05, 2015 at 08:24:47PM GMT, Theo de Raadt wrote: >> >> >Ingo, >> >> > >> >> >On Mar 05 18:11:31, schwa...@usta.de wrote: >> >> >> By the way, lynx(1) removal doesn't really hurt that much. >> >> >> Rotten code that will hurt more when it will finally be deleted >> >> >> includes, for example, the sqlite3(1) library and file(1). >> >> > >> >> >can you please elaborate on what's rotten in sqlite? >> >> >> >> Jan, can you please start from the other end, and provide evidence >> >> that the code is of the highest possible quality? >> > >> >Hi Theo, >> > >> >Based on the above, Jan hadn't made any such claims so no evidence is >> >required. He only asked Ingo to support *his* claim - more info, for >> >mere reference, if nothing else, would be greatly appreciated. :^) >> >> Please run something else. You'll be happier. Really. You don't >> need code-fussy people around you. > > I'm not unhappy with SQLite, so would genuinely like to know what's so > bad about it - it seems Jan would too. Neither Marc nor Stefan consider > SQLite *that* badly rotten - Ingo does. Jan would like to get more > information about it and so would I. > > If someone makes a claim, it's only fair to ask them to support it with > examples. Now, to jump ahead of your next reply - neither Jan nor myself > made any claims. > I believe Theo already told what's wrong with SQLite. His words were "The code uses risk-prone idioms." if I'm not mistaken. A lot of arguments advanced to keep lynx where basically "don't act unless there is a security issue". From what I see, OpenBSD dev act against code which might be source of issue. That's why there is so few vulnerabilities in base. The bad code was already gone when those are found in other OS. By the way, is there a list a common risk-prone idioms ? -- Cordialement, Coues Ludovic +336 148 743 42
Re: lynx is gone?
On Fri, Mar 06, 2015 at 02:13:59AM GMT, Theo de Raadt wrote: > >On Thu, Mar 05, 2015 at 08:24:47PM GMT, Theo de Raadt wrote: > >> >Ingo, > >> > > >> >On Mar 05 18:11:31, schwa...@usta.de wrote: > >> >> By the way, lynx(1) removal doesn't really hurt that much. > >> >> Rotten code that will hurt more when it will finally be deleted > >> >> includes, for example, the sqlite3(1) library and file(1). > >> > > >> >can you please elaborate on what's rotten in sqlite? > >> > >> Jan, can you please start from the other end, and provide evidence > >> that the code is of the highest possible quality? > > > >Hi Theo, > > > >Based on the above, Jan hadn't made any such claims so no evidence is > >required. He only asked Ingo to support *his* claim - more info, for > >mere reference, if nothing else, would be greatly appreciated. :^) > > Please run something else. You'll be happier. Really. You don't > need code-fussy people around you. I'm not unhappy with SQLite, so would genuinely like to know what's so bad about it - it seems Jan would too. Neither Marc nor Stefan consider SQLite *that* badly rotten - Ingo does. Jan would like to get more information about it and so would I. If someone makes a claim, it's only fair to ask them to support it with examples. Now, to jump ahead of your next reply - neither Jan nor myself made any claims. All we would like is some reference. If there's a better equivalent/replacement to SQLite, however, then some more info would be greatly appreciated. Cheers, Raf
Re: lynx is gone?
On Thu, Mar 5, 2015, at 08:24 PM, Paolo Aglialoro wrote: > Dear Theo, > > I respect you as a person and I respect your work. > > This said, I can also tell you that, after a few years reading misc@, > there > is still one thing that I do not understand about your "colourful" > answers > to several mails. > > Not all the people who run obsd can, for various personal reasons of > their > own, contribute as a coder. But they still can contribute as users, > reporting problems or making suggestions. This does not necessarily mean > they "order" you what to do or not to do, don't take it personally. They > just love to run obsd, so they try to do their best. My grandpa taught me > that when people don't tell you things it's because they just don't care > anymore. > > With their detailed answers, for instance, Stuart, Giancarlo and Ingo > showed attention to my problem as a user, analyzing things just on a > logical viewpoint. I perfectly accept their polite way of answering. > > Here nobody was making making a wishlist for obsd like "I want zfs, xfs, > ext4, pf multicore, etc.". The point is that here, often, the moment you > got used to a tool, the day after it's gone/modified. This creates > frustration in the average user, like me. > > Of course we're still a pkg_add away but, hey, isn't denying to consider > that most people will keep using that tool a contradiction? Yes, base > will > be pure and safe, but at the same time it will diminish functionality, > depending more and more from packages. > > This said, this is your OS, delete everything you like! > > Just be respectful, please. > > Il 05/mar/2015 21:43 "Theo de Raadt" ha > scritto: > > > > >So it looks like that, till some months ago, everybody here was on the > > >wrong OS and risking their lives, as lynx was in base! > > > > Such hyperbole! Such drama! > > > > Impressive. > > > > If you don't like our software, there are other options out there for > > you to use. In the end, it is our software, and we get to make our own > > choices. > > > > That is fair. People who get to make choices, tend to care, and tend to > > try to make things better for themselves and everyone, according to a > > narrow definition, but there you have it. No hyperbole or drama needed. > > > > You can run something else, Sir. > How was Theo being disrespectful? I don't see it. Compared to most of Theo's responses this was a love letter. :)
Re: lynx is gone?
>On Thu, Mar 5, 2015 at 9:32 PM, Theo de Raadt >wrote: > >> >> Never know. OpenBSD is not generally known as an exposed democracy. >> > >This made me chuckle out loud :) Well, it makes me laugh out loud too. We are succesfully making good software, using a scheme called undemocratic. How un-American of us. Laughing again? You must be a terrorist.
Re: lynx is gone?
On Thu, Mar 5, 2015 at 9:32 PM, Theo de Raadt wrote: > > Never know. OpenBSD is not generally known as an exposed democracy. > This made me chuckle out loud :) -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: lynx is gone?
>Dear Theo, > >I respect you as a person and I respect your work. > >This said, I can also tell you that, after a few years reading misc@, there >is still one thing that I do not understand about your "colourful" answers >to several mails. > >Not all the people who run obsd can, for various personal reasons of their >own, contribute as a coder. But they still can contribute as users, >reporting problems or making suggestions. This does not necessarily mean >they "order" you what to do or not to do, don't take it personally. They >just love to run obsd, so they try to do their best. My grandpa taught me >that when people don't tell you things it's because they just don't care >anymore. > >With their detailed answers, for instance, Stuart, Giancarlo and Ingo >showed attention to my problem as a user, analyzing things just on a >logical viewpoint. I perfectly accept their polite way of answering. > >Here nobody was making making a wishlist for obsd like "I want zfs, xfs, >ext4, pf multicore, etc.". The point is that here, often, the moment you >got used to a tool, the day after it's gone/modified. This creates >frustration in the average user, like me. > >Of course we're still a pkg_add away but, hey, isn't denying to consider >that most people will keep using that tool a contradiction? Yes, base will >be pure and safe, but at the same time it will diminish functionality, >depending more and more from packages. > >This said, this is your OS, delete everything you like! > >Just be respectful, please. Thank you for your detailed mail. It has led me to revisit my viewpoints. We will be adding Firefox to the base distribution. It is time to stop this focus on a high quality base, and just incorporate what people want, even if it is harder then for developers to use existing methods to discern good from crap. ps. If you still want the old world, it is still there. There are many software legacy software distributions that don't change as fast. Like Linux or FreeBSD. pps. If that does not agree with you, you should feel lucky because a few projects choose to forge ahead and see where future change may get us (in the future, as in, not so much Xenix compat anymore)
Re: lynx is gone?
>> It's not like this wasn't discussed previously. At length. >> http://marc.info/?t=14050482952&r=1&w=2 > >Wow! And I thought the whole fun is on misc@ only. It looks like some >folks are ready to quit using and OS because of some software location >(base or packages). >The irony is lynx is also an extinct animal called "smile" in my country. Businesses fire their worst customers all the time, to allow the business to focus on doing what it does best without adhering to models used in the past to get ahead. Maybe the removal of lynx is not about the low quality of the software and general lack of maintainance moving it forward. Maybe it more of a conspiracy against our worst users, those ready to accept bad software as a part of the better whole. Never know. OpenBSD is not generally known as an exposed democracy. If people want an exposed democracy with different warts, Debian seems to be such a thing. Choose your warts carefully.
Re: lynx is gone?
On Thu, Mar 5, 2015 at 5:24 PM, Paolo Aglialoro wrote: > Dear Theo, > > I respect you as a person and I respect your work. > > This said, I can also tell you that, after a few years reading misc@, > there > is still one thing that I do not understand about your "colourful" answers > to several mails. > > Not all the people who run obsd can, for various personal reasons of their > own, contribute as a coder. But they still can contribute as users, > reporting problems or making suggestions. This does not necessarily mean > they "order" you what to do or not to do, don't take it personally. They > just love to run obsd, so they try to do their best. My grandpa taught me > that when people don't tell you things it's because they just don't care > anymore. > > With their detailed answers, for instance, Stuart, Giancarlo and Ingo > showed attention to my problem as a user, analyzing things just on a > logical viewpoint. I perfectly accept their polite way of answering. > > Here nobody was making making a wishlist for obsd like "I want zfs, xfs, > ext4, pf multicore, etc.". The point is that here, often, the moment you > got used to a tool, the day after it's gone/modified. This creates > frustration in the average user, like me. > Uhm, excuse me, I definitely want all of those things. If I don't get them right now I'll stomp my feet and cry until I do! > Of course we're still a pkg_add away but, hey, isn't denying to consider > that most people will keep using that tool a contradiction? Yes, base will > be pure and safe, but at the same time it will diminish functionality, > depending more and more from packages. > > This said, this is your OS, delete everything you like! > > Just be respectful, please. > This discussion started off with disrespect to the project's developers and continued throughout much of it. Respect is something to be earned, don't expect to get it for free. -Gene > > Il 05/mar/2015 21:43 "Theo de Raadt" ha scritto: > > > > >So it looks like that, till some months ago, everybody here was on the > > >wrong OS and risking their lives, as lynx was in base! > > > > Such hyperbole! Such drama! > > > > Impressive. > > > > If you don't like our software, there are other options out there for > > you to use. In the end, it is our software, and we get to make our own > > choices. > > > > That is fair. People who get to make choices, tend to care, and tend to > > try to make things better for themselves and everyone, according to a > > narrow definition, but there you have it. No hyperbole or drama needed. > > > > You can run something else, Sir.
Re: lynx is gone?
>On Thu, Mar 05, 2015 at 08:24:47PM GMT, Theo de Raadt wrote: >> >Ingo, >> > >> >On Mar 05 18:11:31, schwa...@usta.de wrote: >> >> By the way, lynx(1) removal doesn't really hurt that much. >> >> Rotten code that will hurt more when it will finally be deleted >> >> includes, for example, the sqlite3(1) library and file(1). >> > >> >can you please elaborate on what's rotten in sqlite? >> >> Jan, can you please start from the other end, and provide evidence >> that the code is of the highest possible quality? > >Hi Theo, > >Based on the above, Jan hadn't made any such claims so no evidence is >required. He only asked Ingo to support *his* claim - more info, for >mere reference, if nothing else, would be greatly appreciated. :^) Please run something else. You'll be happier. Really. You don't need code-fussy people around you.
Re: lynx is gone?
Dear Theo, I respect you as a person and I respect your work. This said, I can also tell you that, after a few years reading misc@, there is still one thing that I do not understand about your "colourful" answers to several mails. Not all the people who run obsd can, for various personal reasons of their own, contribute as a coder. But they still can contribute as users, reporting problems or making suggestions. This does not necessarily mean they "order" you what to do or not to do, don't take it personally. They just love to run obsd, so they try to do their best. My grandpa taught me that when people don't tell you things it's because they just don't care anymore. With their detailed answers, for instance, Stuart, Giancarlo and Ingo showed attention to my problem as a user, analyzing things just on a logical viewpoint. I perfectly accept their polite way of answering. Here nobody was making making a wishlist for obsd like "I want zfs, xfs, ext4, pf multicore, etc.". The point is that here, often, the moment you got used to a tool, the day after it's gone/modified. This creates frustration in the average user, like me. Of course we're still a pkg_add away but, hey, isn't denying to consider that most people will keep using that tool a contradiction? Yes, base will be pure and safe, but at the same time it will diminish functionality, depending more and more from packages. This said, this is your OS, delete everything you like! Just be respectful, please. Il 05/mar/2015 21:43 "Theo de Raadt" ha scritto: > > >So it looks like that, till some months ago, everybody here was on the > >wrong OS and risking their lives, as lynx was in base! > > Such hyperbole! Such drama! > > Impressive. > > If you don't like our software, there are other options out there for > you to use. In the end, it is our software, and we get to make our own > choices. > > That is fair. People who get to make choices, tend to care, and tend to > try to make things better for themselves and everyone, according to a > narrow definition, but there you have it. No hyperbole or drama needed. > > You can run something else, Sir.
Re: lynx is gone?
> It's not like this wasn't discussed previously. At length. > http://marc.info/?t=14050482952&r=1&w=2 Wow! And I thought the whole fun is on misc@ only. It looks like some folks are ready to quit using and OS because of some software location (base or packages). The irony is lynx is also an extinct animal called "smile" in my country.
Re: lynx is gone?
On Thu, Mar 05, 2015 at 08:24:47PM GMT, Theo de Raadt wrote: > >Ingo, > > > >On Mar 05 18:11:31, schwa...@usta.de wrote: > >> By the way, lynx(1) removal doesn't really hurt that much. > >> Rotten code that will hurt more when it will finally be deleted > >> includes, for example, the sqlite3(1) library and file(1). > > > >can you please elaborate on what's rotten in sqlite? > > Jan, can you please start from the other end, and provide evidence > that the code is of the highest possible quality? Hi Theo, Based on the above, Jan hadn't made any such claims so no evidence is required. He only asked Ingo to support *his* claim - more info, for mere reference, if nothing else, would be greatly appreciated. :^) Cheers, Raf
Re: lynx is gone?
On Thu, Mar 05, 2015 at 06:52:20PM +0100, Marc Espie wrote: > > On Thu, Mar 05, 2015 at 06:11:31PM +0100, Ingo Schwarze wrote: > > > By the way, lynx(1) removal doesn't really hurt that much. > > > Rotten code that will hurt more when it will finally be deleted > > > includes, for example, the sqlite3(1) library and file(1). > > > > re: sqlite, the code doesn't follow our guidelines, but it's not that > > badly rotten. I've played with it a bit, and as long as you use it for > > what it's meant (sql), it's pretty sturdy. > I concur. And the sqlite devs are also reacting quickly to bug reports. > The very few times new sqlite releases caused a regression in SVN the > problem was fixed promptly. > http://article.gmane.org/gmane.comp.db.sqlite.general/66248 > http://www.sqlite.org/src/info/4c86b126f2 Reactive is not the same as proactive. The code uses risk-prone idioms.
Re: lynx is gone?
>So it looks like that, till some months ago, everybody here was on the >wrong OS and risking their lives, as lynx was in base! Such hyperbole! Such drama! Impressive. If you don't like our software, there are other options out there for you to use. In the end, it is our software, and we get to make our own choices. That is fair. People who get to make choices, tend to care, and tend to try to make things better for themselves and everyone, according to a narrow definition, but there you have it. No hyperbole or drama needed. You can run something else, Sir.
Re: lynx is gone?
>Ingo, > >On Mar 05 18:11:31, schwa...@usta.de wrote: >> By the way, lynx(1) removal doesn't really hurt that much. >> Rotten code that will hurt more when it will finally be deleted >> includes, for example, the sqlite3(1) library and file(1). > >can you please elaborate on what's rotten in sqlite? Jan, can you please start from the other end, and provide evidence that the code is of the highest possible quality? Thank you.
Re: lynx is gone?
Ingo, On Mar 05 18:11:31, schwa...@usta.de wrote: > By the way, lynx(1) removal doesn't really hurt that much. > Rotten code that will hurt more when it will finally be deleted > includes, for example, the sqlite3(1) library and file(1). can you please elaborate on what's rotten in sqlite? Jan
Re: lynx is gone?
Paolo Aglialoro wrote: > So it looks like that, till some months ago, everybody here was on the > wrong OS and risking their lives, as lynx was in base! But I have never It's not like this wasn't discussed previously. At length. http://marc.info/?t=14050482952&r=1&w=2
Re: lynx is gone?
On 05-03-2015 13:20, Paolo Aglialoro wrote: > I perfectly agree with you, both on fun and curiosity. > > Nevertheless, not all the times we have got time enough "to have fun > netcatting servers". More than often u just have to go straight to the > point. But before you can get to the point, someone (hopefully) looked under the hood for you. > Btw, try these with (net)cat: > > $ lynx saveddocument.html > $ pdftohtml -stdout -i manual.pdf | lynx -stdin As I mentioned, "for the task the OP mentioned". Of course netcat does not replace a browser. > Actually it does on a user viewpoint: a server daemon is up 24/7 while a > client is activated by the user. For the server, insecurity comes mainly > from its own flaws, for the client danger does not mainly come from the > tool itself (unless it's a totally hopeless sw) but from the *potentially* > silly utilization which is done by the user. You forget that programs bring along libraries and other potentially nasty stuff when ran. lynx had support for a lot of protocols besides http. Take a look at the tech@ thread from last year that prompted it's removal. > So it looks like that, till some months ago, everybody here was on the > wrong OS and risking their lives, as lynx was in base! But I have never > read here about anybody who had his system compromised because of poor > lynx. So, right now, this deletion reflects more a "what if" worry than a > real threat, i.e. lynx <> shellshock. Many of OpenBSD security features are based on " what if". That does not mean that in the future, the "what if", can't become a real threat. The mentality of the OpenBSD devs is in the right place. They try hard to make a OS that try to don't allow you to shoot yourself in the face. Even if that means removing software that might (or not) pose a threat to you in any point in the future. Cheers, Giancarlo Razzolini
Re: lynx is gone?
> $ pdftohtml -stdout -i manual.pdf | lynx -stdin I do that all the time. ;-) I see no problem with it being removed from base though. Its just a pkg_add away.
Re: lynx is gone?
On Thu, Mar 05, 2015 at 06:52:20PM +0100, Marc Espie wrote: > On Thu, Mar 05, 2015 at 06:11:31PM +0100, Ingo Schwarze wrote: > > By the way, lynx(1) removal doesn't really hurt that much. > > Rotten code that will hurt more when it will finally be deleted > > includes, for example, the sqlite3(1) library and file(1). > > re: sqlite, the code doesn't follow our guidelines, but it's not that > badly rotten. I've played with it a bit, and as long as you use it for > what it's meant (sql), it's pretty sturdy. I concur. And the sqlite devs are also reacting quickly to bug reports. The very few times new sqlite releases caused a regression in SVN the problem was fixed promptly. http://article.gmane.org/gmane.comp.db.sqlite.general/66248 http://www.sqlite.org/src/info/4c86b126f2
Re: lynx is gone?
On Thu, Mar 05, 2015 at 06:11:31PM +0100, Ingo Schwarze wrote: > By the way, lynx(1) removal doesn't really hurt that much. > Rotten code that will hurt more when it will finally be deleted > includes, for example, the sqlite3(1) library and file(1). re: sqlite, the code doesn't follow our guidelines, but it's not that badly rotten. I've played with it a bit, and as long as you use it for what it's meant (sql), it's pretty sturdy.
Re: lynx is gone?
On Thu, Mar 5, 2015 at 11:11 AM, Ingo Schwarze wrote: > Hi Paolo, > > Paolo Aglialoro wrote on Thu, Mar 05, 2015 at 05:20:51PM +0100: > > > So it looks like that, till some months ago, everybody here was > > on the wrong OS and risking their lives, as lynx was in base! > > That's a fallacy so common that it's worth calling out. > > An operating system is not a religion: Created perfect by God > herself ere the Dawn of Time and since conserved untainted by Her > faithful and diligent followers. > > OpenBSD inherits from 4.3BSD-Reno and 4.4BSD-Lite2 via 386BSD and > NetBSD-1.0. The CSRG BSD code was good code by 1990 standards, is > not so good any longer by 2015 standards, and much third-party stuff > of lesser quality had to be included simply because nothing better > was freely available at the time, or even available at all. > > We keep improving the code, you know, one (intentional!) side effect > being that the bar of what is deemed good enough is constantly > rising. Most often, when something is no longer good enough, > somebody cares enough to write a better replacement, though nobody > is obliged to do that work and nobody is entitled to request it. > > Sometimes, stuff has already rotten for too long before patience > finally runs out, and still no one cares enough to write the > replacement. If the system is still deemed usable without it, > it may get deleted outright, even if that hurts a bit. > > If it hurts you, take that as an incentive to write the replacement. > > Yours, > Ingo > > > P.S. > By the way, lynx(1) removal doesn't really hurt that much. > Rotten code that will hurt more when it will finally be deleted > includes, for example, the sqlite3(1) library and file(1). > > Maintaining file might be a good enough reason for me to learn C and contribute. file is pretty high on my list of must-have's.
Re: lynx is gone?
Hi Paolo, Paolo Aglialoro wrote on Thu, Mar 05, 2015 at 05:20:51PM +0100: > So it looks like that, till some months ago, everybody here was > on the wrong OS and risking their lives, as lynx was in base! That's a fallacy so common that it's worth calling out. An operating system is not a religion: Created perfect by God herself ere the Dawn of Time and since conserved untainted by Her faithful and diligent followers. OpenBSD inherits from 4.3BSD-Reno and 4.4BSD-Lite2 via 386BSD and NetBSD-1.0. The CSRG BSD code was good code by 1990 standards, is not so good any longer by 2015 standards, and much third-party stuff of lesser quality had to be included simply because nothing better was freely available at the time, or even available at all. We keep improving the code, you know, one (intentional!) side effect being that the bar of what is deemed good enough is constantly rising. Most often, when something is no longer good enough, somebody cares enough to write a better replacement, though nobody is obliged to do that work and nobody is entitled to request it. Sometimes, stuff has already rotten for too long before patience finally runs out, and still no one cares enough to write the replacement. If the system is still deemed usable without it, it may get deleted outright, even if that hurts a bit. If it hurts you, take that as an incentive to write the replacement. Yours, Ingo P.S. By the way, lynx(1) removal doesn't really hurt that much. Rotten code that will hurt more when it will finally be deleted includes, for example, the sqlite3(1) library and file(1).
Re: lynx is gone?
Il 05/mar/2015 14:34 "Giancarlo Razzolini" ha scritto: > > But it's so fun man! If people looked under the hood more often, we wouldn't had the bug nightmare that was these past years. Heartbleed, ghost, shellshock, etc. I perfectly agree with you, both on fun and curiosity. Nevertheless, not all the times we have got time enough "to have fun netcatting servers". More than often u just have to go straight to the point. Btw, try these with (net)cat: $ lynx saveddocument.html $ pdftohtml -stdout -i manual.pdf | lynx -stdin > lynx removal does not compare to this. Actually it does on a user viewpoint: a server daemon is up 24/7 while a client is activated by the user. For the server, insecurity comes mainly from its own flaws, for the client danger does not mainly come from the tool itself (unless it's a totally hopeless sw) but from the *potentially* silly utilization which is done by the user. > Then you're on the wrong Operating System. OpenBSD is secure by default. If lynx had the tiniest chance of compromising your system, then I'm glad it's gone. So it looks like that, till some months ago, everybody here was on the wrong OS and risking their lives, as lynx was in base! But I have never read here about anybody who had his system compromised because of poor lynx. So, right now, this deletion reflects more a "what if" worry than a real threat, i.e. lynx <> shellshock.
Re: lynx is gone?
> > And, just for the records, I bet that 99% of use of lynx is just sysadmin > > stuff on CLI systems The reason I install lynx from ports is simpy because it opens the packages directory in seconds rather than 10s of seconds compared to even xombrero which is quicker that firefox or chrome. Having seen people browse the web on exchange servers I'm quite happy for it to be gone from base as it simply saves me from ever needing to chmod 000 it on servers.
Re: lynx is gone?
On 04-03-2015 20:30, Paolo Aglialoro wrote: > > Using netcat or ftp to browse the web/intranet/localhost in the 3rd > millennium is like eating a steak with a spoon. But it's so fun man! If people looked under the hood more often, we wouldn't had the bug nightmare that was these past years. Heartbleed, ghost, shellshock, etc. Konsole output ~# nc -vvv www.openbsd.org 80 Connection to www.openbsd.org 80 port [tcp/www] succeeded! GET / HTTP/1.1 Host: www.openbsd.org HTTP/1.1 200 OK Date: Thu, 05 Mar 2015 13:28:54 GMT Server: Apache Last-Modified: Wed, 19 Nov 2014 17:29:26 GMT ETag: "84c3c06e225fcffbdd723847e25fa29b1586fbe2" Accept-Ranges: bytes Content-Length: 4871 Content-Type: text/html > > It's the same logic of leaving open root ssh access with pw=password: > nothing can stop a stupid misuse of things. But this is not a good reason > to delete ssh. lynx removal does not compare to this. It was removed based solely on technical merits. That, and the fact that no OpenBSD dev would spare time to fix it. > > And, just for the records, I bet that 99% of use of lynx is just sysadmin > stuff on CLI systems, for the rest (the dangerous horrid scary world...) > there are X clients with Firefox. Who's going to warez sites with lynx? Of > course we're all a pkg_add away, but that is not the point. I didn't got your point. > > Security is a damn good thing. > Excesses not. Then you're on the wrong Operating System. OpenBSD is secure by default. If lynx had the tiniest chance of compromising your system, then I'm glad it's gone. Cheers, Giancarlo Razzolini
Re: lynx is gone?
On 2015-03-04, Paolo Aglialoro wrote: > And, just for the records, I bet that 99% of use of lynx is just sysadmin > stuff on CLI systems And probably a lot of that is quickly checking something that you're only doing directly on the machine for convenience. Something that you might otherwise do on the system you're ssh'ing from, or on a phone/etc which avoids the need to run any browser on what is potentially a sensitive server. And the remainder for things like lynx -dump in scripts where it can easily be pkg_add'ed if needed. (hopefully these will run as a relatively unprivileged user). > for the rest (the dangerous horrid scary world...) there are X clients > with Firefox. Who's going to warez sites with lynx? You've never heard of webservers on technical topics being attacked and serving malicious content?
Re: lynx is gone?
This sounds like: "As with a knife one could cut throats, let's start eating only with the fork. Oh, btw, but also the fork could poke, so let's use just the spoon." Using netcat or ftp to browse the web/intranet/localhost in the 3rd millennium is like eating a steak with a spoon. It's the same logic of leaving open root ssh access with pw=password: nothing can stop a stupid misuse of things. But this is not a good reason to delete ssh. And, just for the records, I bet that 99% of use of lynx is just sysadmin stuff on CLI systems, for the rest (the dangerous horrid scary world...) there are X clients with Firefox. Who's going to warez sites with lynx? Of course we're all a pkg_add away, but that is not the point. Security is a damn good thing. Excesses not. Il 04/mar/2015 20:01 "Giancarlo Razzolini" ha scritto: > > On 04-03-2015 15:48, Jeff St. George wrote: > > Its not in my pay grade to offer a technical opinion on Lynx removal! > > But ,,WHAT r u folks using instead, considering?? > Well, for the task the OP mentioned, finding a mirror for pkg_add, you > could do plenty of things to accomplish that. netcating to the OpenBSD > site and running the http get's by hand is one that comes to mind. > curling the mirrors page is another. The fact is, there are no > decent/secure text mode browsers, and given the discussion on tech@ last > year about lynx removal, I believe it should have gone sooner. I don't > think any other text mode browser will make into base in the near > future, unless someone develops a secure one. > > Cheers, > Giancarlo Razzolini On 04-03-2015 15:48, Jeff St. George wrote: > Its not in my pay grade to offer a technical opinion on Lynx removal! > But ,,WHAT r u folks using instead, considering?? Well, for the task the OP mentioned, finding a mirror for pkg_add, you could do plenty of things to accomplish that. netcating to the OpenBSD site and running the http get's by hand is one that comes to mind. curling the mirrors page is another. The fact is, there are no decent/secure text mode browsers, and given the discussion on tech@ last year about lynx removal, I believe it should have gone sooner. I don't think any other text mode browser will make into base in the near future, unless someone develops a secure one. Cheers, Giancarlo Razzolini
Re: lynx is gone?
>> So, remove Xombrero from base too, he segfault everytime > Done! Hey, wait! The plan was to improve browsers, wasn't it? That's not the same thing as deleting them, you know! Then again, if we set the firefox to keep the tedu (err... or was it the other way round...?) we need not be surpised that browsers end up... getting lost. :-D Everyone please lock the tree: somebody let a tedu loose! Yours, Ingo
Re: lynx is gone?
On Wed, Mar 4, 2015 at 2:15 PM, L.R. D.S. wrote: >>1) lynx has some amazingly insecure code > > So, remove Xombrero from base too, he segfault everytime > and is much more insecure due to ECMAscript engine of WebKit. > >>curl > > Please guys, a browser is different from a http/ftp downloader. A > browser have HTML parser, and funcionality's for you... ahm... browse? > I accidentally posted off list the first time. I'm just a user, but my preference is to let the devs, for lack of a better word, dev. If I knew how to run the OpenBSD project to end up with something like OpenBSD, which I'm fond of, I'd be . . . a lot smarter . . . The app (lynx) is on the CD's as a package, for now, at least. That works fine for me, and I am a pretty frequent lynx user. My 2 cents. Carl T.
Re: lynx is gone?
L.R. D.S. wrote: > So, remove Xombrero from base too, he segfault everytime Done!
Re: lynx is gone?
>1) lynx has some amazingly insecure code So, remove Xombrero from base too, he segfault everytime and is much more insecure due to ECMAscript engine of WebKit. >curl Please guys, a browser is different from a http/ftp downloader. A browser have HTML parser, and funcionality's for you... ahm... browse?
Re: lynx is gone?
On Wed, Mar 4, 2015 at 1:48 PM, Jeff St. George wrote: > Its not in my pay grade to offer a technical opinion on Lynx removal! > But ,,WHAT r u folks using instead, considering?? > typically when I am setting up a server I have a laptop with me. the laptop will either have my pre-planning notes, or if it doesn't have that, it will be where I record my as-built notes. either way, at the end I will have a record on my laptop of all the key information I would need if I ever have to rebuild that particular server. since I have my laptop with me anyway, if I need to look at any web pages during the server install, I use that. if I really need to fetch a web page on the server itself, I use ftp (which also supports http). if it's not a server (i.e. I'm setting up a workstation) then I'll typically want X and something like Firefox. -ken
Re: lynx is gone?
> -Original Message- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On > Behalf Of Bob Eby > Sent: Wednesday, March 04, 2015 10:11 AM > To: misc@openbsd.org > Subject: lynx is gone? > > Lynx is gone. Wow just wow, I'm stupefied by just how much you guys have > removed from base. > > The least you could do is put something on afterboot useful to getting a > web browser up and running. Note: it's usually helpful to have a > web-browser to do things like oh, I don't know, find a suitable mirror for > pkg_add? > #ftp -o - http://www.openbsd.org/ftp.html | grep nofollow
Re: lynx is gone?
On 2015-03-04, Giancarlo Razzolini wrote: curling the mirrors page is another. This was my first thought. I don't think this is out of anyone's league if they are already choosing to install OpenBSD.
Re: lynx is gone?
On 04-03-2015 15:48, Jeff St. George wrote: > Its not in my pay grade to offer a technical opinion on Lynx removal! > But ,,WHAT r u folks using instead, considering?? Well, for the task the OP mentioned, finding a mirror for pkg_add, you could do plenty of things to accomplish that. netcating to the OpenBSD site and running the http get's by hand is one that comes to mind. curling the mirrors page is another. The fact is, there are no decent/secure text mode browsers, and given the discussion on tech@ last year about lynx removal, I believe it should have gone sooner. I don't think any other text mode browser will make into base in the near future, unless someone develops a secure one. Cheers, Giancarlo Razzolini
Re: lynx is gone?
Its not in my pay grade to offer a technical opinion on Lynx removal! But ,,WHAT r u folks using instead, considering?? thanks OpenBSD
Re: lynx is gone?
On Wed, Mar 04, 2015 at 04:49:06PM +0100, Manuel Giraud wrote: > Peter Hessler writes: > > > 1) lynx has some amazingly insecure code > > > > 2) the installer installs a functional pkg.conf if you installed from > > the network. > > 3) nethack is not in base At least parts of nethack is GPL.
Re: lynx is gone?
Peter Hessler writes: > 1) lynx has some amazingly insecure code > > 2) the installer installs a functional pkg.conf if you installed from > the network. 3) nethack is not in base -- Manuel Giraud
Re: lynx is gone?
1) lynx has some amazingly insecure code 2) the installer installs a functional pkg.conf if you installed from the network. On 2015 Mar 04 (Wed) at 10:11:17 -0500 (-0500), Bob Eby wrote: :Lynx is gone. Wow just wow, I'm stupefied by just how much you guys have :removed from base. : :The least you could do is put something on afterboot useful to getting a :web browser up and running. Note: it's usually helpful to have a :web-browser to do things like oh, I don't know, find a suitable mirror for :pkg_add? : :It was fun playing with the packet filter all those years ago, but I think :I've had my fill of OpenBSD after lack of new hard drive formats, WPA2 :hassles, failure to get very popular and important firmwares (ipw anyone?) :into the distribution. (Nothing like installing over a wireless NIC when :you don't have the firmware and can't download it over said NIC) : :Honestly, every new box I try to find some use for OpenBSD but every time :go back to some Linux flavor to actually do ... well ? anything. (Except :play nethack. I guess, yeah, *thats* more important than a default web :browser) : -- Might as well be frank, monsieur. It would take a miracle to get you out of Casablanca and the Germans have outlawed miracles. -- Casablanca