lynx: disable old protocols

classic Classic list List threaded Threaded
64 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Shawn K. Quinn-2
On Sun, 2014-07-13 at 02:01 -0600, Theo de Raadt wrote:
> Why haven't you left yet Shawn?

Because for the moment, I still am an OpenBSD user. And you haven't
answered my question why there's been no exploit of this "poor quality"
code (in the entire history of Lynx going back to 1992, no less).

It's so easy to look at code and say it's shitty. It's another to prove
it.

--
Shawn K. Quinn <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Theo de Raadt
In reply to this post by Daniel Dickman
You demand us to do work?

Please leave immediately.


> On Sun, 2014-07-13 at 02:01 -0600, Theo de Raadt wrote:
> > Why haven't you left yet Shawn?
>
> Because for the moment, I still am an OpenBSD user. And you haven't
> answered my question why there's been no exploit of this "poor quality"
> code (in the entire history of Lynx going back to 1992, no less).
>
> It's so easy to look at code and say it's shitty. It's another to prove
> it.
>
> --
> Shawn K. Quinn <[hidden email]>
>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Ted Unangst-6
In reply to this post by Theo de Raadt
On Sat, Jul 12, 2014 at 21:43, Shawn K. Quinn wrote:

> For now, I'm going to make sure my Lynx still has full functionality if
> I have to manually unfuck the Makefile myself everytime after I update
> my sources. In the future? Maybe I (and the other users who actually
> give a shit about having non-crippled software) should have switched to
> BitRig (or NetBSD, or maybe even something else) already. It's a shame
> because I was looking to buy a CD set for 5.6, too. But I won't if Lynx
> isn't all there in 5.6-release, and I'll be donating the money to
> another project (most likely BitRig) instead. Feel free to follow my
> lead should you desire.

That's a strange choice. bitrig deleted lynx entirely quite some time
ago. You won't find gopher support there either.

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Shawn K. Quinn-2
In reply to this post by Theo de Raadt
On Sun, 2014-07-13 at 02:23 -0600, Theo de Raadt wrote:
> You demand us to do work?
>
> Please leave immediately.

No, I'm asking why there's been no exploit, not necessarily for you to
write one. In fact, Theo, I'd really rather you not try to write one,
since apparently you're averse to the idea of doing so.

--
Shawn K. Quinn <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Paul de Weerd
In reply to this post by Shawn K. Quinn-2
On Sun, Jul 13, 2014 at 02:58:04AM -0500, Shawn K. Quinn wrote:
| On Sun, 2014-07-13 at 01:38 -0600, Theo de Raadt wrote:
| > With your attitude, I beg you to please go run some other
| > operating system.
|
| The plan is when the first Bitrig release comes out, I'm done and switch
| to that. The donations I was going to make to your project later this
| year? Not anymore. They are either going to Bitrig, or maybe some even
| to the FSF. Oh, the latter I would love to do especially since you keep
| trashing Richard Stallman every chance you get, even after the FSF gave
| you an award. (Did they ever ask for that award back? The FSF is run by
| a lot of nice people. Maybe they are too nice to have asked for you to
| return the award, but they should have. The lack of gratitude shown by
| your ridicule of RMS after getting it is just plain atrocious and casts
| a black eye on the "open source" movement you claim to be part of.)
|
| By the way, you would not have had BSD source code to hack on without
| the efforts of RMS. Think about that next time before you insult him.
| Show a little fucking gratitude for a change.

And you show your gratitude for the free software that you use by
telling the people that wrote it how to behave and making demands from
them?

Should OpenBSD keep lynx as it is because you and maybe a handful of
others want it to stay that way?  Some (extremely small) subset of
users get to decide how things are?

I believe the answer to the last question should be yes: but I don't
think you are in that subset.  The people maintaining OpenBSD get to
maintain it.  You get to use it.  You choose to complain, they choose
to ignore or ridicule you.

| Until then, I'm going to keep a close eye on changes
| under /usr/src/gnu/usr.bin/lynx and undo them on my own system if it
| disables useful functionality. It's just outrageous I have to do this to
| keep things like gopher support.

Why is that outrageous?!  Is it really outrageous that you get all the
stuff you need to turn this into exactly what you want for free?
Including, in this case, advance notification?  Should Theo come to
your house and do a little song and dance for you too?

This is Open Source Software.  You've stated it loud enough.

| BTW, I still want to see an actual exploit. None of this "the code looks
| shitty" vagueness. Look hard enough, you'll find code that looks shitty
| everywhere.

Why do you want to see an actual exploit?  Do you want to see an
actual exploit for changes that have gone into any other part of the
tree?  Ted (and others, I'm singling out Ted as he's become the
personification of deleting stuff) has been deleting lots of arcane
stuff from the tree; why are you not demanding things like fsplit are
brought back, asking where exploits are?

I know why not: you are not a fortran user.  You don't use fsplit.
You, and a few others, have stated you still use lynx with gopher
and/or other protocols.  Great: submit a port and use that.  It's
perfectly OK to actually participate in the development with
submitting changes instead of getting all worked up when things don't
happen the way you want them to.

Things in OpenBSD have changed a lot since I started using it, and not
always to my liking.  I just deal with it.  Why can't you?  Why does
anybody in OpenBSD owe you anything?  Where does your sense of
entitlement stem from?

Cheers,

Paul 'WEiRD' de Weerd

--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/                 

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

patric conant
What about the other direction, what about all the poeple who believe that
lynx is the end-all, be-all choice for secure browsing, because they
believe that it's the only browser that is held to the audit standards of
being included in OpenBSD base. If it isn't, isn't there a responsibility
to disclose that, and possibly remove it from base. The only chicken and
egg issue I can see with it, is that you use it to get a list of mirrors
for your newly installed system, so you can set the pkg_path. I'd love it
if we included another method for discovering that, a copy of mirrors in
/usr/share/docs, or even a second email sent to root. I'd also like to
point out that Shawn has broken the social contract here, it's well known
that it's generally considered rude to direct developers, in this forum. I
think it's also a well-known part of the "shut up and hack," culture, that
he can offer to audit and maintain lynx in a manner consistent with the
rest of base, or be quiet about it. No users are being harmed in the
removal of unmaintained code. I'm shocked at how hard people would push
back, against having to install a package.
Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Jean-Philippe Ouellet
On Wed, Jul 16, 2014 at 01:56:00PM -0500, patric conant wrote:
> Isn't there a responsibility to disclose that, and possibly remove it
> from base.

It's being removed.

> ... you use it to get a list of mirrors for your newly installed system,
> so you can set the pkg_path. I'd love it if we included another method
> for discovering that ...

Oh come on... It's not like the URLs are some giant uuid-based madness
or something. All the mirrors have the same simple layout. If you install
lots of boxes regularly, it doesn't take long to memorize the name of
your closest mirror. If you don't install lots of stuff, then just set
installpath in your pkg.conf and forget about it.


Also, I'm not sure if this is documented anywhere besides the source
of the installer, or how long it's intended to be kept around, but
you may find http://ftp.openbsd.org/cgi-bin/ftplist.cgi to be useful.

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Shawn K. Quinn-2
In reply to this post by patric conant
On Wed, 2014-07-16 at 13:56 -0500, patric conant wrote:
> I'd also like to point out that Shawn has broken the social contract
> here, it's well known that it's generally considered rude to direct
> developers, in this forum.

Every single free or open-source software project I have ever used has
been shaped by user feedback. Most take it seriously when users say they
still use functionality that's being slated for removal. So Patric, you
can take this "social contract" of yours and shove it up your ass. I
don't recognize it as anything but toilet paper.

--
Shawn K. Quinn <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Theo de Raadt
In reply to this post by Daniel Dickman
>On Wed, 2014-07-16 at 13:56 -0500, patric conant wrote:
>> I'd also like to point out that Shawn has broken the social contract
>> here, it's well known that it's generally considered rude to direct
>> developers, in this forum.
>
>Every single free or open-source software project I have ever used has
>been shaped by user feedback. Most take it seriously when users say they
>still use functionality that's being slated for removal. So Patric, you
>can take this "social contract" of yours and shove it up your ass. I
>don't recognize it as anything but toilet paper.

Shawn -- leave this list.


Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

STeve Andre'
In reply to this post by Shawn K. Quinn-2
On 07/16/14 17:00, Shawn K. Quinn wrote:

> On Wed, 2014-07-16 at 13:56 -0500, patric conant wrote:
>> I'd also like to point out that Shawn has broken the social contract
>> here, it's well known that it's generally considered rude to direct
>> developers, in this forum.
> Every single free or open-source software project I have ever used has
> been shaped by user feedback. Most take it seriously when users say they
> still use functionality that's being slated for removal. So Patric, you
> can take this "social contract" of yours and shove it up your ass. I
> don't recognize it as anything but toilet paper.
>
Shawn, I'm sorry but that's really out of line.  Lynx will move
to ports, which is the best of both worlds.  It may be of
questionable quality, so not in base, but with lots of other
software, also of questionable quality *but available to all*.

So that's it.  Case closed, in a reasonable manner, I think.

--STeve Andre'



Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Stuart Henderson-6
In reply to this post by Jean-Philippe Ouellet
On 2014/07/16 16:00, Jean-Philippe Ouellet wrote:
> Oh come on... It's not like the URLs are some giant uuid-based madness
> or something. All the mirrors have the same simple layout. If you install
> lots of boxes regularly, it doesn't take long to memorize the name of
> your closest mirror. If you don't install lots of stuff, then just set
> installpath in your pkg.conf and forget about it.

If you choose your mirror from the list in the installer, this is already
set automatically in pkg.conf.

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Adam Thompson
In reply to this post by STeve Andre'
For the rest of us who prefer to use software instead of demanding changes, this simply means using OpenBSD in a strictly-isolated environment becomes a bit more difficult.

I'm still not willing to use Linux LiveCDs in certain environments for the most part, and I'll just get used to having the ports I absolutely need (probably elinks or Firefox, at this point, not lynx!) on a pre-burned CD.

Related question: what happened to putting the most commonly-used pkgs on the CDs?  Did we just run out of room?  My 5.5 CD set has a grand total of about 8 packages IIRC.

Most of us get that you're all hacking on OpenBSD primarily to scratch a personal itch and secondarily to provide something good to the rest of the world.  I recall reading somewhere a summary of the tech@ attitude, which boiled down to "if you can use our code, great, otherwise go away and stop bothering us".

I'll keep providing opinions and feedback, but even (sizeable) donations to the foundation don't earn me the *right* to be heeded.

Apologies for the noise on tech@, but moving to misc would be even worse.

-Adam

On July 16, 2014 4:08:09 PM CDT, STeve Andre' <[hidden email]> wrote:

>On 07/16/14 17:00, Shawn K. Quinn wrote:
>> On Wed, 2014-07-16 at 13:56 -0500, patric conant wrote:
>>> I'd also like to point out that Shawn has broken the social contract
>>> here, it's well known that it's generally considered rude to direct
>>> developers, in this forum.
>> Every single free or open-source software project I have ever used
>has
>> been shaped by user feedback. Most take it seriously when users say
>they
>> still use functionality that's being slated for removal. So Patric,
>you
>> can take this "social contract" of yours and shove it up your ass. I
>> don't recognize it as anything but toilet paper.
>>
>Shawn, I'm sorry but that's really out of line.  Lynx will move
>to ports, which is the best of both worlds.  It may be of
>questionable quality, so not in base, but with lots of other
>software, also of questionable quality *but available to all*.
>
>So that's it.  Case closed, in a reasonable manner, I think.
>
>--STeve Andre'

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Theo de Raadt
In reply to this post by Daniel Dickman
> For the rest of us who prefer to use software instead of demanding
> changes, this simply means using OpenBSD in a strictly-isolated
> environment becomes a bit more difficult.

This statement makes no sense.  Why would you strictly isolate the
environment?  Because you want security.  In that case, have you read
the code for lynx?

> I'm still not willing to use Linux LiveCDs in certain environments
> for the most part, and I'll just get used to having the ports I
> absolutely need (probably elinks or Firefox, at this point, not lynx!)
> on a pre-burned CD.

Piece of cake.

> Related question: what happened to putting the most commonly-used
> pkgs on the CDs?  Did we just run out of room?  My 5.5 CD set has a
> grand total of about 8 packages IIRC.

Yes, we run out, actually on a regular basis.  I don't think people
realize how much effort goes into re-fitting things.  Most releases it
is simple, but other releases we suddenly must revamp the layout
pretty substantially.  It isn't some amateur 1 hour effort.  I do not
know yet what happens for 5.6, I have not repeated the 5.5 layout yet.

pkg_add uses signify keys now.  You can use the internet to get packages.
They do not need to be on the release CD.

> Most of us get that you're all hacking on OpenBSD primarily to
> scratch a personal itch and secondarily to provide something good to
> the rest of the world.  I recall reading somewhere a summary of the
> tech@ attitude, which boiled down to "if you can use our code, great,
> otherwise go away and stop bothering us".

Thank you.

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Amit Kulkarni-5
In reply to this post by Shawn K. Quinn-2
On Wed, Jul 16, 2014 at 4:00 PM, Shawn K. Quinn <[hidden email]>
wrote:

> On Wed, 2014-07-16 at 13:56 -0500, patric conant wrote:
> > I'd also like to point out that Shawn has broken the social contract
> > here, it's well known that it's generally considered rude to direct
> > developers, in this forum.
>
> Every single free or open-source software project I have ever used has
> been shaped by user feedback. Most take it seriously when users say they
> still use functionality that's being slated for removal. So Patric, you
> can take this "social contract" of yours and shove it up your ass. I
> don't recognize it as anything but toilet paper.
>

And the ports devs did listen ***seriously***. bcallah@ provided an initial
port and sthen@ gave some feedback. It might make it into the ports
tree.Are you not subscribed to ports@? Lynx is probably just a pkg_add
away. Or if that effort is abandoned, you can whip up your own port based
on bcallah@ initial port.

This project is also shaped by user feedback. Otherwise, those two wouldn't
have bothered wasting their time on lynx.
Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Ville Valkonen
In reply to this post by Stuart Henderson-6
On 17 July 2014 00:10, Stuart Henderson <[hidden email]> wrote:
> On 2014/07/16 16:00, Jean-Philippe Ouellet wrote:
>> Oh come on... It's not like the URLs are some giant uuid-based madness
>> or something. All the mirrors have the same simple layout. If you install
>> lots of boxes regularly, it doesn't take long to memorize the name of
>> your closest mirror. If you don't install lots of stuff, then just set
>> installpath in your pkg.conf and forget about it.
>
> If you choose your mirror from the list in the installer, this is already
> set automatically in pkg.conf.

Hello Stuart,

what would you suggest for situations where installXX.iso is burned to
a CD to avoid downloading sets from the net due a slow Internet
connection? When sets are installed from the CD it doesn't set
PKG_PATH. I couldn't find any mirror list from the ISO image by
grepping.

Previously I've used lynx to navigate on the project's website and
copy&paste mirror URL with tmux.

Thanks in advance,
Ville

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Bob Beck-2
ftp -o - http://ftp.openbsd.org/pub/OpenBSD/snapshots/ftplist | some
script, or maybe your eyes and pick one.

On Fri, Jul 18, 2014 at 4:29 PM, Ville Valkonen <[hidden email]> wrote:

> On 17 July 2014 00:10, Stuart Henderson <[hidden email]> wrote:
>> On 2014/07/16 16:00, Jean-Philippe Ouellet wrote:
>>> Oh come on... It's not like the URLs are some giant uuid-based madness
>>> or something. All the mirrors have the same simple layout. If you install
>>> lots of boxes regularly, it doesn't take long to memorize the name of
>>> your closest mirror. If you don't install lots of stuff, then just set
>>> installpath in your pkg.conf and forget about it.
>>
>> If you choose your mirror from the list in the installer, this is already
>> set automatically in pkg.conf.
>
> Hello Stuart,
>
> what would you suggest for situations where installXX.iso is burned to
> a CD to avoid downloading sets from the net due a slow Internet
> connection? When sets are installed from the CD it doesn't set
> PKG_PATH. I couldn't find any mirror list from the ISO image by
> grepping.
>
> Previously I've used lynx to navigate on the project's website and
> copy&paste mirror URL with tmux.
>
> Thanks in advance,
> Ville
>

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Stuart Henderson-6
In reply to this post by Ville Valkonen
On 2014/07/19 01:29, Ville Valkonen wrote:
> what would you suggest for situations where installXX.iso is burned to
> a CD to avoid downloading sets from the net due a slow Internet
> connection? When sets are installed from the CD it doesn't set
> PKG_PATH. I couldn't find any mirror list from the ISO image by
> grepping.

Personally I remember a few nearby mirror URLs, but I do think this could
be improved - we could add a sample pkg.conf file to /etc/examples with
a list of mirrors updated from mirrors.dat. Unless there are objections to
that idea, I'll look at modifying the scripts for this.

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Paul Irofti-4
On Sat, Jul 19, 2014 at 12:28:17PM +0100, Stuart Henderson wrote:

> On 2014/07/19 01:29, Ville Valkonen wrote:
> > what would you suggest for situations where installXX.iso is burned to
> > a CD to avoid downloading sets from the net due a slow Internet
> > connection? When sets are installed from the CD it doesn't set
> > PKG_PATH. I couldn't find any mirror list from the ISO image by
> > grepping.
>
> Personally I remember a few nearby mirror URLs, but I do think this could
> be improved - we could add a sample pkg.conf file to /etc/examples with
> a list of mirrors updated from mirrors.dat. Unless there are objections to
> that idea, I'll look at modifying the scripts for this.

That would be awesome no matter if we have or don't have a browser in
base.

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Stuart Henderson-6
In reply to this post by Stuart Henderson-6
On 2014/07/19 12:28, Stuart Henderson wrote:

> On 2014/07/19 01:29, Ville Valkonen wrote:
> > what would you suggest for situations where installXX.iso is burned to
> > a CD to avoid downloading sets from the net due a slow Internet
> > connection? When sets are installed from the CD it doesn't set
> > PKG_PATH. I couldn't find any mirror list from the ISO image by
> > grepping.
>
> Personally I remember a few nearby mirror URLs, but I do think this could
> be improved - we could add a sample pkg.conf file to /etc/examples with
> a list of mirrors updated from mirrors.dat. Unless there are objections to
> that idea, I'll look at modifying the scripts for this.
>

Oh, this nearly works, but pkg.conf needs a full pkgpath (with
either version number or "snapshots" and machine arch)...

Marc, would you consider permitting variables (either just in pkg.conf,
or in PKG_PATH in general) which are replaced at runtime with the current
OS version and cpu arch? That way we could provide a sample pkg.conf
that looks something like the excerpt below:

-- -- -- --
# $OpenBSD$
# Users of release versions can simply uncomment a line.
# Users of snapshots should replace %V with the word 'snapshots'.

# Australia
#installpath=<a href="http://mirror.internode.on.net/pub/OpenBSD/%V/packages/%A/">http://mirror.internode.on.net/pub/OpenBSD/%V/packages/%A/
#installpath=<a href="http://mirror.aarnet.edu.au/pub/OpenBSD/%V/packages/%A/">http://mirror.aarnet.edu.au/pub/OpenBSD/%V/packages/%A/
#installpath=<a href="http://ftp.iinet.net.au/pub/OpenBSD/%V/packages/%A/">http://ftp.iinet.net.au/pub/OpenBSD/%V/packages/%A/

# Austria
#installpath=<a href="http://ftp5.eu.openbsd.org/ftp/pub/OpenBSD/%V/packages/%A/">http://ftp5.eu.openbsd.org/ftp/pub/OpenBSD/%V/packages/%A/
#installpath=<a href="http://ftp2.eu.openbsd.org/pub/OpenBSD/%V/packages/%A/">http://ftp2.eu.openbsd.org/pub/OpenBSD/%V/packages/%A/

<...>
-- -- -- --

Reply | Threaded
Open this post in threaded view
|

Re: lynx: disable old protocols

Doug Hogan
In reply to this post by Stuart Henderson-6
On Sat, Jul 19, 2014 at 12:28:17PM +0100, Stuart Henderson wrote:
> Personally I remember a few nearby mirror URLs, but I do think this could
> be improved - we could add a sample pkg.conf file to /etc/examples with
> a list of mirrors updated from mirrors.dat. Unless there are objections to
> that idea, I'll look at modifying the scripts for this.

This addresses the list of package mirrors.  What about the list of anoncvs
mirrors?  That's the other task I would sometimes use lynx for.  If I'm
installing on a machine in a different location, I'd like to use a closer
mirror than the ones I memorized.

You could have mirrors.dat as a one time update since the packages are
signed.  The main issues would be if a mirror wants to get added/deleted
in between releases or if some mirror is compromised and stops sending
out new packages.

It's different with anoncvs since we're relying on the ssh pubkeys and
the updates are not signed.  Would it make sense to have a package that
contains a list of the anoncvs mirrors + ssh fingerprints?  The list would
be signed and updated in the same manner as other packages.  It may make
sense to throw mirrors.dat in there so it is signed and updated as well.
The first mirrors.dat update is bootstrapped from the installation and
then updated as a package.

1234