lynx: disable old protocols

classic Classic list List threaded Threaded
64 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Ted Unangst-6
On Fri, Jul 11, 2014 at 09:56, Stuart Henderson wrote:

> On 2014/07/11 18:51, Brett Mahar wrote:
>> On Fri, 11 Jul 2014 09:48:12 +0100
>> Stuart Henderson <[hidden email]> wrote:
>>
>> | On 2014/07/11 01:18, Theo de Raadt wrote:
>> | > > I too use gopher in lynx regularly, and would miss support. There
> is =
>> | > > still a surprisingly active community using gopher. (floodgap, et
> al.)
>> | >
>> | > So install a package.
>> |
>> | Should we just move lynx to packages?
>> |
>>
>> I find lynx really handy to have in base, e.g. installing on a new
> machine, users can just go to openbsd.org and cut and paste a pkg_path
> prior to installing anything, and read the faq.
>>
>> Using openbsd for the first time would have been a lot more painful
> without a browser in base.
>>
>
> Thing is, if we need another version of lynx in packages to support
> gopher, having one in base as well just gets confusing..

No more than many versions of gcc in base and ports, I think. We could
call it elynx. :)

We have documentation in html format, so I think we need a basic text
browser in base to view it.

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Stuart Henderson-6
On 2014/07/11 05:05, Ted Unangst wrote:

> On Fri, Jul 11, 2014 at 09:56, Stuart Henderson wrote:
> > On 2014/07/11 18:51, Brett Mahar wrote:
> >> On Fri, 11 Jul 2014 09:48:12 +0100
> >> Stuart Henderson <[hidden email]> wrote:
> >>
> >> | On 2014/07/11 01:18, Theo de Raadt wrote:
> >> | > > I too use gopher in lynx regularly, and would miss support. There
> > is =
> >> | > > still a surprisingly active community using gopher. (floodgap, et
> > al.)
> >> | >
> >> | > So install a package.
> >> |
> >> | Should we just move lynx to packages?
> >> |
> >>
> >> I find lynx really handy to have in base, e.g. installing on a new
> > machine, users can just go to openbsd.org and cut and paste a pkg_path
> > prior to installing anything, and read the faq.
> >>
> >> Using openbsd for the first time would have been a lot more painful
> > without a browser in base.
> >>
> >
> > Thing is, if we need another version of lynx in packages to support
> > gopher, having one in base as well just gets confusing..
>
> No more than many versions of gcc in base and ports, I think. We could
> call it elynx. :)

Yes, that's confusing too, especially with nginx.

> We have documentation in html format, so I think we need a basic text
> browser in base to view it.

BIND, Lynx itself, Sendmail milters, ncurses.

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Paul Irofti-4
In reply to this post by Daniel Dickman
On Thu, Jul 10, 2014 at 11:05:45PM -0400, Daniel Dickman wrote:

> Patch below turns off the following ancient protocols built into lynx:
> bibp, finger, gopher, and news.
>
> For some urls, lynx will invoke an external command. Turn off telnet,
> rlogin and tn3270 urls by defining them to false(1) as documented in the
> lynx manual.
>
> Finally, turn off the file editor which can be accessed with "g.<enter>"
> using the --disable-dired switch.
>
> ok to commit?

No, gopher can't go!

>
> Index: Makefile.bsd-wrapper
> ===================================================================
> RCS file: /home/cvs/src/gnu/usr.bin/lynx/Makefile.bsd-wrapper,v
> retrieving revision 1.24
> diff -u -p -u -r1.24 Makefile.bsd-wrapper
> --- Makefile.bsd-wrapper 15 Apr 2014 20:55:42 -0000 1.24
> +++ Makefile.bsd-wrapper 11 Jul 2014 02:47:31 -0000
> @@ -5,7 +5,10 @@ CLEANFILES+= lynx.1
>  DPADD= ${LIBSSL} ${LIBCRYPTO}
>  
>  GNUCFLAGS= CC="${CC}" CFLAGS="${CFLAGS} ${COPTS} ${OPT}" LDFLAGS="${LDFLAGS}"
> -CONFIGURE_ARGS= --with-ssl=/usr --enable-widec --enable-ipv6 --enable-debug
> +CONFIGURE_ARGS= --with-ssl=/usr --enable-widec --enable-ipv6 --enable-debug \
> + --disable-bibp-urls --disable-finger --disable-gopher --disable-news \
> + --disable-dired
> +
>  HTMLDIR= /usr/share/doc/html
>  HELPFILES= keystrokes/alt_edit_help.html keystrokes/bookmark_help.html \
>   keystrokes/cookie_help.html keystrokes/dired_help.html \
> @@ -39,12 +42,18 @@ config: .FORCE
>   PATH="/bin:/usr/bin:/sbin:/usr/sbin" \
>   ${GNUCFLAGS} \
>   INSTALL_PROGRAM="${INSTALL} ${INSTALL_COPY} ${INSTALL_STRIP}" \
> + TELNET=/usr/bin/false \
> + RLOGIN=/usr/bin/false \
> + TN3270=/usr/bin/false \
>   sh ${.CURDIR}/configure --prefix=/usr --sysconfdir=/etc --disable-color-style ${CONFIGURE_ARGS}
>  
>  config.status:
>   PATH="/bin:/usr/bin:/sbin:/usr/sbin" \
>   ${GNUCFLAGS} \
>   INSTALL_PROGRAM="${INSTALL} ${INSTALL_COPY} ${INSTALL_STRIP}" \
> + TELNET=/usr/bin/false \
> + RLOGIN=/usr/bin/false \
> + TN3270=/usr/bin/false \
>   sh ${.CURDIR}/configure --prefix=/usr --sysconfdir=/etc --disable-color-style ${CONFIGURE_ARGS} ${CF}
>  
>  lynx.1: ${.CURDIR}/lynx.man
>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Adam Thompson
In reply to this post by Theo de Raadt
I would know of its existence, but likely not install it.  As I said, I have workarounds.  I remember how bad the code was years ago, so I agree with the idea in general, but it will be a pain in the butt for me every once in a while :-(.
-Adam

On July 11, 2014 4:03:29 AM CDT, Theo de Raadt <[hidden email]> wrote:
>If lynx was removed from base, and only available in ports... how many
>of
>you would even know of it's existance and use it?

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Henning Brauer-7
In reply to this post by Stuart Henderson-6
* Stuart Henderson <[hidden email]> [2014-07-11 10:49]:
> Should we just move lynx to packages?

hmm. having a simple text browser in base is worthwile imo. and if it
is just to download sth where i don't know the exact URL.

personally, I haven't used lynx for anything but http and https in...
what, a decade?

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Henning Brauer-7
In reply to this post by Paul Irofti-4
* Paul Irofti <[hidden email]> [2014-07-11 11:40]:
> No, gopher can't go!

just do
  pkg_gyp gopher
to get over it.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

patrick keshishian
In reply to this post by Theo de Raadt
On 7/11/14, Theo de Raadt <[hidden email]> wrote:
> If lynx was removed from base, and only available in ports... how many of
> you would even know of it's existance and use it?

asking rhetorically?
either way, yes, I would install lynx if it wasn't in base.
I use it on a daily basis.

--patrick

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Craig Skinner-3
In reply to this post by Theo de Raadt
On 2014-07-11 Fri 03:03 AM |, Theo de Raadt wrote:
> If lynx was removed from base, and only available in ports... how many of
> you would even know of it's existance and use it?
>

Several times a week I use lynx for http or local html docs.

If it wasn't in base, I'd install it/some similar package via siteXX.tgz

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Shawn K. Quinn-2
In reply to this post by Theo de Raadt
On Fri, 2014-07-11 at 03:03 -0600, Theo de Raadt wrote:
> If lynx was removed from base, and only available in ports... how many of
> you would even know of it's existance and use it?

Not only would I know of its existence and go install it to use, I would
wonder out loud why the hell it's not in base.

Furthermore, if it had been intentionally crippled to exclude rare but
definitely used protocols like gopher that are part of "stock" Lynx as
released by the current maintainers, I would wonder what kind of whacked
out hallucinogenics someone had to have been on to do such a thing.
(It's something I'd expect from Firefox developers, but definitely not
from OpenBSD maintaners.)

If there's a security hole related to gopher or bibp, let's fix it,
let's not up and drop support for those protocols because of it. People
do use these protocols even in 2014.

If it's code bloat, I'd like to know just how much code we're talking
about. Unless we're going to try to put Lynx on install media (and I am
definitely not suggesting that we do), 1.7 megabytes really isn't all
that big (it's actually smaller than ftp). If you have gamesXX.tgz
installed and never play them you have no business complaining about
bloat on a binary of that size.

Looking back over this patch, I see no reason to break telnet support
since we still ship a telnet client. (In case anyone brings this up, I
see no reason to remove telnet from base either.) Also, there's no good
reason I can think of to break rlogin and tn3270 support for the people
who have those installed and need to use it. I retract any support I may
have indicated.

Now, should the upstream remove this support for whatever reason, that's
an entirely different can of worms. But if it ain't broke, don't fix it.
And from here it looks like it ain't broke.

--
Shawn K. Quinn <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Theo de Raadt
In reply to this post by Daniel Dickman
> If there's a security hole related to gopher or bibp, let's fix it,
> let's not up and drop support for those protocols because of it. People
> do use these protocols even in 2014.

"let's" is a contraction for "let us".

Basically the community must audit lynx, if they want it to remain in base.
Those of us who have glanced judged it to be of poor quality.

> If it's code bloat, I'd like to know just how much code we're talking
> about.

This is open source.  You know you can find the source yourself and read
it?  Or .. perhaps you can't, and just wish to preach to us?

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Landry Breuil-6
In reply to this post by Shawn K. Quinn-2
On Sat, Jul 12, 2014 at 06:11:16AM -0500, Shawn K. Quinn wrote:

> On Fri, 2014-07-11 at 03:03 -0600, Theo de Raadt wrote:
> > If lynx was removed from base, and only available in ports... how many of
> > you would even know of it's existance and use it?
>
> Not only would I know of its existence and go install it to use, I would
> wonder out loud why the hell it's not in base.
>
> Furthermore, if it had been intentionally crippled to exclude rare but
> definitely used protocols like gopher that are part of "stock" Lynx as
> released by the current maintainers, I would wonder what kind of whacked
> out hallucinogenics someone had to have been on to do such a thing.
> (It's something I'd expect from Firefox developers, but definitely not
> from OpenBSD maintaners.)

Beware with such statements, some have both hats.

Landry

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Shawn K. Quinn-2
In reply to this post by Shawn K. Quinn-2
On Sat, 2014-07-12 at 06:11 -0500, Shawn K. Quinn wrote:
> If it's code bloat, I'd like to know just how much code we're talking
> about. Unless we're going to try to put Lynx on install media (and I am
> definitely not suggesting that we do), 1.7 megabytes really isn't all
> that big (it's actually smaller than ftp). If you have gamesXX.tgz
> installed and never play them you have no business complaining about
> bloat on a binary of that size.

The recent patch which removes bibp support and breaks telnet URLs
removes a whopping 8k or so (at least on amd64 here, versus -current
from a couple days before). If hard drives still topped out at a
gigabyte or less that might be an impressive reduction, but those days
are long gone.

Taking out dired, gopher, news, and finger only makes a total reduction
of some 121k. Again, it might make a difference if your whole hard disk
is under a gigabyte. Today, a terabyte or significant fraction thereof
is more likely. So, not impressive given what we're losing by saving
that small amount of disk space.

And this comment:

> leave gopher, news, and dired in place for now. but we will soon catch up
> to the security level of internet explorer 7 by removing these too.

This is complete bullshit, to the point where I would think it came
straight from Microsoft's PR department. There is no way in hell that
Lynx was ever as insecure as Internet Explorer 7, much less is today.
Lynx, by its very nature, is one of the most secure browsers out there,
as it lacks almost all of the attack vectors (Javascript, CSS, etc)
that, say, Firefox or Chrome has. The most recent advisory for Lynx I
found was from 2005, then one from 2003, then one from 2000. That's
three over a six-year span, then bupkis for the next nine. I think a
more appropriate way of wording this comment in full is:

"despite several messages on tech@, start gutting lynx under the guise
of security. specifically, ignore the people who said bibp is in use and
get rid of it. break telnet, rlogin, and tn3270 for the hell of it.

"leave gopher, news, and dired in place for now. but we will soon catch
up to Microsoft's level of saying 'fuck the users' by removing these
too, because we feel like it.

"ok's for the version of this diff that removes even more protocols from
deraadt@, tedu@. general support from other devs. again, fuck the people
actually using our software, fuck gopher, fuck bibp, fuck nntp and
Usenet. OpenBSD: where do you want to go today?"

Seriously, if you are worried about getting hacked from using Lynx (and
I mean real Lynx as distributed, with support for gopher, finger, bibp,
telnet, and the kitchen sink included), maybe the Internet is just not
for you. As for me, I feel safe running Lynx as root. I'd be surprised
to find that many people who were not.

Finally, I'm horrified that bibp support was removed, and telnet support
was broken, *after* others said they were still using it. I expect this
kind of ham-fisted "fuck the users" move from companies like Microsoft
and Apple. I honestly never thought I'd see the day that it would happen
in OpenBSD.

For now, I'm going to make sure my Lynx still has full functionality if
I have to manually unfuck the Makefile myself everytime after I update
my sources. In the future? Maybe I (and the other users who actually
give a shit about having non-crippled software) should have switched to
BitRig (or NetBSD, or maybe even something else) already. It's a shame
because I was looking to buy a CD set for 5.6, too. But I won't if Lynx
isn't all there in 5.6-release, and I'll be donating the money to
another project (most likely BitRig) instead. Feel free to follow my
lead should you desire.

--
Shawn K. Quinn <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Jorge Castillo
> Maybe I (and the other users who actually
> give a shit about having non-crippled software) should have switched to
> BitRig (or NetBSD, or maybe even something else) already.

Good luck, I won't miss you!

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

William Orr-2
In reply to this post by Theo de Raadt
On 7/11/2014 2:03 AM, Theo de Raadt wrote:
> If lynx was removed from base, and only available in ports... how many of
> you would even know of it's existance and use it?

I absolutely would use it if it were only available in ports.

I only complain about gopher support being removed because lynx has the
best gopher browsing experience around, and in OpenBSD-land, there's no
alternative other than building it and installing it out-of-band.

I would happily use a package, be it instead of or in addition to a
stripped-down lynx in base.

wrt. auditing it, should we send patches here? Or upstream?

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Shawn K. Quinn-2
On Sat, 2014-07-12 at 23:58 -0700, William Orr wrote:
> wrt. auditing it, should we send patches here? Or upstream?

I'd send them both places, if they apply cleanly to both sets of code.
Otherwise, send them here. I'd love to be proven wrong about the
maintainers not really giving a shit about the users, and accepting
packages which make gopher browsing "more secure" or "improve the code
quality" would help.

BTW, I forgot to ask, where are the exploits for this poor quality code?
i.e. if I'm browsing a gopher site with the current Lynx as root, what
exactly do I have to stumble upon to get "owned?" Or is it just a "this
is ugly in a few places" kind of vague feeling by some devs? I have a
feeling there aren't any (exploits), but I thought I'd ask anyway.

--
Shawn K. Quinn <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Theo de Raadt
In reply to this post by Daniel Dickman
With your attitude, I beg you to please go run some other
operating system.

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Shawn K. Quinn-2
On Sun, 2014-07-13 at 01:38 -0600, Theo de Raadt wrote:
> With your attitude, I beg you to please go run some other
> operating system.

The plan is when the first Bitrig release comes out, I'm done and switch
to that. The donations I was going to make to your project later this
year? Not anymore. They are either going to Bitrig, or maybe some even
to the FSF. Oh, the latter I would love to do especially since you keep
trashing Richard Stallman every chance you get, even after the FSF gave
you an award. (Did they ever ask for that award back? The FSF is run by
a lot of nice people. Maybe they are too nice to have asked for you to
return the award, but they should have. The lack of gratitude shown by
your ridicule of RMS after getting it is just plain atrocious and casts
a black eye on the "open source" movement you claim to be part of.)

By the way, you would not have had BSD source code to hack on without
the efforts of RMS. Think about that next time before you insult him.
Show a little fucking gratitude for a change.

Until then, I'm going to keep a close eye on changes
under /usr/src/gnu/usr.bin/lynx and undo them on my own system if it
disables useful functionality. It's just outrageous I have to do this to
keep things like gopher support.

BTW, I still want to see an actual exploit. None of this "the code looks
shitty" vagueness. Look hard enough, you'll find code that looks shitty
everywhere.

--
Shawn K. Quinn <[hidden email]>
"OpenBSD: Where do you want to go today?"

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Theo de Raadt
In reply to this post by Daniel Dickman
Why haven't you left?

Please leave.

> On Sat, 2014-07-12 at 23:58 -0700, William Orr wrote:
> > wrt. auditing it, should we send patches here? Or upstream?
>
> I'd send them both places, if they apply cleanly to both sets of code.
> Otherwise, send them here. I'd love to be proven wrong about the
> maintainers not really giving a shit about the users, and accepting
> packages which make gopher browsing "more secure" or "improve the code
> quality" would help.
>
> BTW, I forgot to ask, where are the exploits for this poor quality code?
> i.e. if I'm browsing a gopher site with the current Lynx as root, what
> exactly do I have to stumble upon to get "owned?" Or is it just a "this
> is ugly in a few places" kind of vague feeling by some devs? I have a
> feeling there aren't any (exploits), but I thought I'd ask anyway.
>
> --
> Shawn K. Quinn <[hidden email]>
>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Otto Moerbeek
In reply to this post by Shawn K. Quinn-2
On Sun, Jul 13, 2014 at 02:26:10AM -0500, Shawn K. Quinn wrote:

> On Sat, 2014-07-12 at 23:58 -0700, William Orr wrote:
> > wrt. auditing it, should we send patches here? Or upstream?
>
> I'd send them both places, if they apply cleanly to both sets of code.
> Otherwise, send them here. I'd love to be proven wrong about the
> maintainers not really giving a shit about the users, and accepting
> packages which make gopher browsing "more secure" or "improve the code
> quality" would help.
>
> BTW, I forgot to ask, where are the exploits for this poor quality code?
> i.e. if I'm browsing a gopher site with the current Lynx as root, what
> exactly do I have to stumble upon to get "owned?" Or is it just a "this
> is ugly in a few places" kind of vague feeling by some devs? I have a
> feeling there aren't any (exploits), but I thought I'd ask anyway.

Sigh, you want to make use spend time on writing exploits for every
potential problem found? That means any developemt will grind to a halt.

If you don't trust our judgement, then don't use OpenBSD.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Theo de Raadt
In reply to this post by Daniel Dickman
Why haven't you left yet Shawn?

1234