1. 2

    On wikipedia it says:

    For most of its lifetime, the Lisa never went beyond the original seven applications that Apple had deemed enough to “do everything”

    Does anyone know what these applications were?

    1. 3

      The Lisa Office System was eventually renamed “7/7”, in reference to the seven supplied application programs: LisaWrite, LisaCalc, LisaDraw, LisaGraph, LisaProject, LisaList, and LisaTerminal.


      1. 1

        Ah, missed that bit

    1. 0

      You don’t want to manually write makefiles. Use Autotools instead: https://autotools.io/index.html

      1. 14

        Why not, its completely fine to write “simple” makefiles for “simple” projects. I think the musl makefile is a good example for a not so simple but still simple makefile.

        To me autotools generated makefiles are a hell to debug, just slightly less hellish than debugging cmake.

        1. 5

          The musl makefile is one of the cleanest production makefiles I’ve ever seen. But I note even its opening comment says, “This is how simple every makefile should be… No, I take that back - actually most should be less than half this size.”

          I count, at least, 3 languages used:

          1. GNU dialect of make
          2. shell
          3. sed

          And hacks like this:

          obj/musl-gcc: config.mak
          	printf '#!/bin/sh\nexec "$${REALGCC:-$(WRAPCC_GCC)}" "$$@" -specs "%s/musl-gcc.specs"\n' "$(libdir)" > $@
          	chmod +x $@
          obj/%-clang: $(srcdir)/tools/%-clang.in config.mak
          	sed -e 's!@CC@!$(WRAPCC_CLANG)!g' -e 's!@PREFIX@!$(prefix)!g' -e 's!@INCDIR@!$(includedir)!g' -e 's!@LIBDIR@!$(libdir)!g' -e 's!@LDSO@!$(LDSO_PATHNAME)!g' $< > $@
          	chmod +x $@

          Local legend @andyc of Oil Shell fame pushes the idea that Shell, Awk, and Make Should Be Combined. IMHO, the musl example is persuasive empirical evidence for his position.

          (I’m hoping @stefantalpalaru is being sarcastic about Autotools and we’re all falling to Poe’s Law.)

          1. 2

            (I’m hoping @stefantalpalaru is being sarcastic about Autotools and we’re all falling to Poe’s Law.)

            No, I’m not. I’ve worked with hand written Makefiles, Autotools and CMake on complex projects and I honestly think that Autotools is the lesser of all evils.

            Local legend @andyc of Oil Shell fame

            Now I hope you’re the one being sarcastic. Who exactly uses the Oil Shell?

            1. 3

              Now I hope you’re the one being sarcastic.

              I was not being sarcastic. @andyc’s Oil Shell posts consistently do well in voting here.

              Who exactly uses the Oil Shell?

              Who uses a less than a year old shell that explicitly isn’t for public use yet? I’m hoping very few people.

              What does the number of Oil Shell users have to do with his argument?

        2. 7

          Err. Last time I touched autotools it was a crawling horror.

          Makefiles are fine. Just don’t write ones that call other makefiles (recursive make considered harmful and all that).

          1. 3

            Just don’t write ones that call other makefiles (recursive make considered harmful and all that).

            Clearly someone needs to write “Make: The Good Parts” 😂

            1. 2

              Isn’t non-recursive make also considered harmful?

              1. 2

                I think the ideal is a makefile that includes parts from all over your source tree, so that there’s one virtual Makefile (no recursive make invocation O(n^2) issues) but changes can be made locally. Best of both worlds!

            2. 5

              I’m no expert on Make or Autotools, but my response to building automation on top of an automation tool is: “Please, god, no!”

              If your automation tool lacks the expressiveness to automate the problem your solving, the solution should never be to bolt another automation tool on top of it. It’s time to start over.

              1. 2

                I’m going to take a guess that you’re not a DevOps engineer.

                1. 1

                  “Lets just use another layer of automation!” is the DevOps version of solving every problem with another layer of indirection clearly! :)

                2. 1

                  But why not? One tool (cmake, meson) checks dependencies and works on high-level concepts such as “binary”, “library”. Other tool (make, ninja) is low-level and operates on building individual files. It’s sane separation of concerns.

                  Make, however, tries to be high-level (at least GNU make, it even has built-in Scheme), but not enough high-level and it might be better at low level (that’s why ninja was invented).

                  Monolith build tools like Bazel might better handle invalidation but this class of tools is not explored enough (existing tools are designed for specific Google/Facebook’s use cases).

                3. [Comment removed by author]

                  1. 3

                    Autotools is terrible.

                    Yes, but all the alternatives are worse.

                  2. 1



                    And look how complicated this configure script is which doesn’t take 60 seconds to run:


                  1. 5

                    Why is this still a blacklist instead of a whitelist? There are many more environment variables in glibc that might result in undefined behavior or worse.

                    1. 21

                      Compiling Firefox on 8 core ryzen targetting the host arch takes between 10 and 15 minutes.

                      1. 10

                        Wow that is fast, takes ~2h on a build server that takes 7 hours for chromium. All the recent rust stuff really slowed it down.

                        1. 6

                          All the recent rust stuff really slowed it down.

                          Oof, yeah, I bet. Rust is notoriously slow to compile. Luckily, incremental compilation is in the nightly compiler right now. I’ve been using it wherever I can and it really does make a difference. But I suppose it wouldn’t do much for an initial compilation of a project. :(

                          1. 4

                            In this case a large chunk of this is just bindgen; we need to generate bindings so we throw a libclang-based-bindings generator at all of the header files. Twice (complicated reasons for this).

                            It’s also pretty single threaded (codegen units will help with this, but currently isn’t, and I have to investigate why).

                            Incremental compilation and working codegen units and cleaning up the bindgen situation will help a lot. Going to take a while, though.

                            1. 3

                              But I suppose it wouldn’t do much for an initial compilation of a project.

                              Also not going to help packagers who use only temporary compilation environments which are discarded after a package is built.

                              1. 6

                                Package managers (and regular builds also) should not be starting from scratch every time. Even if we insist on doing all source editing in ASCII, we need to be delivering modules as fully-typed, parsed ASTs.

                                This insistence on going back to plain source code every chance we get and starting over is easily wasting more energy than the bitcoin bubble.

                                1. 9

                                  Package managers (and regular builds also) should not be starting from scratch every time.

                                  They should if you want reproducible builds.

                                  1. 3

                                    These are completely orthogonal. There’s nothing stopping reproduceable builds where you run the entire pipeline if you insist on comparing the hash of the source and the hash of the output. And you would still get the same benefit by comparing source<->ast and ast<->binary

                                    1. 1

                                      Yeah, ideally a compiler would take a difference in source to a difference in output. Compiler differentiation?

                                    2. 2

                                      I believe you can do a decent amount of caching in this space? Like MSFT and co. have compile serverse that will store incrementally compiled stuff for a lot of projects so you’re only compiling changes

                                2. 7

                                  My non-beefy lenovo x series laptop takes ~45 minutes for a complete recompile, ~12min for average changes w/ ccache etc. and ~min for JS-only changes (which you can do as artifact builds, so they’re always 3min unless you need to build C++/Rust components

                                1. 16

                                  Can I get a “Hates Electron” hat?

                                  It looks like you made a web version! - I wish everyone that made electron “apps” had the foresight to make web version (do they even need to be different repo?!). There is a lot more potential for your app now that it isn’t encumbered by electron! Someone can turn it into a service or run it on a BSD!

                                  I’d also like to nip something in the bud.. electron (and anything built on top of it) is not “mimimal”. It might have taken you very little code to produce said thing.. but electron is very very not minimal.

                                  Here is some data to chew on:

                                  Electron (66846bff975f92dd721d5ca29f332edf3795f1c0)
                                  Language                         files          blank        comment           code
                                  C++                                312           9711           4385          46244
                                  Markdown                           513          18985              0          43674
                                  JavaScript                         199           2979           1012          22966
                                  C/C++ Header                       337           5855           4674          19227
                                  Objective C++                       47           1573            713           6642
                                  Python                              39            911            288           2909
                                  HTML                               123            102              0           1885
                                  YAML                                 5             23             16            347
                                  Bourne Shell                         8             74             70            309
                                  JSON                                15              3              0            243
                                  Windows Resource File                1             21             33             85
                                  Bourne Again Shell                   7             23             21             70
                                  Dockerfile                           1              5              4              9
                                  PowerShell                           1              0              0              2
                                  CSS                                  1              0              0              1
                                  CoffeeScript                         1              0              0              1
                                  SUM:                              1610          40265          11216         144614
                                  Chromium (61.0.3163.100)
                                  qbit@slip[0]:chromium-61.0.3163.100λ cloc .                 
                                    209609 text files.
                                    189475 unique files.                                          
                                  Out of memory!800
                                  panic: POPSTACK
                                  Entire OpenBSD src tree (includes clang and gcc)
                                  Language                             files          blank        comment           code
                                  C                                    16045        1151514        1394479        6409501
                                  C++                                   9027         380730         428645        2129520
                                  C/C++ Header                         12480         401032         766593        2026578
                                  Perl                                  4122         157859         208622         982209
                                  HTML                                   903          33457           6243         471775
                                  Bourne Shell                          1298          62248          76580         469701
                                  Markdown                               259          46737              0         402916
                                  PO File                                129         141599         190451         319672
                                  Python                                1208          31439          29325         120108
                                  Assembly                               896          19716          53416         107674
                                  yacc                                    89          13030           8543          99830
                                  Expect                                 459          14444          21708          74919
                                  make                                  2271          14044           7875          59234
                                  m4                                     179           6227           3099          54859
                                  Windows Module Definition              179           5820             41          43062
                                  ASP.Net                                  2           1013             18          24720
                                  TeX                                     19           3073          12237          21050
                                  CMake                                  660           3043           2162          20623
                                  Lisp                                   104           1551            455          13386
                                  Pascal                                  42           2045           6029          10822
                                  lex                                     32           1620           1791           9035
                                  Fortran 77                             183            893           2886           7495
                                  Objective C                            201           1772            830           6473
                                  Objective C++                           16           1019            998           6024
                                  awk                                     51            500           1384           4363
                                  OCaml                                   59           1355           2442           4100
                                  Go                                      28            544            655           3876
                                  Fortran 90                              73            264            818           3457
                                  XML                                     36            193             53           3389
                                  CSS                                     22            528            251           3087
                                  Korn Shell                              12            565            958           2738
                                  YAML                                    52             20            113           2186
                                  sed                                     47            221            596           1851
                                  Antlr                                    2              0              0           1726
                                  DOS Batch                               29            258             97           1507
                                  JSON                                    21              3              0           1190
                                  JavaScript                               6            106            182            856
                                  Racket                                   3             76            132            626
                                  C#                                       8             87            108            557
                                  Bourne Again Shell                       7            111            196            532
                                  Forth                                    1             96            123            497
                                  Windows Message File                     1            102             11            489
                                  vim script                               9             60             78            395
                                  Mathematica                             93             18              0            350
                                  DTD                                      1             91             58            335
                                  MSBuild script                           1              0              7            254
                                  R                                       32             26             12            252
                                  diff                                    20             37            248            248
                                  Windows Resource File                    7             35             12            194
                                  XSLT                                     1             46              9            187
                                  MATLAB                                   6             69              3            173
                                  C Shell                                  2             17             22            132
                                  GLSL                                     1             16              0             61
                                  Protocol Buffers                         1             47            168             47
                                  Java                                     3              5             24             47
                                  Prolog                                   4             30             -1             44
                                  D                                        6              7              7             42
                                  Dockerfile                               6             26             90             38
                                  SAS                                      1             14             21             29
                                  Ada                                      4             13             45             23
                                  NAnt script                              1              0              0              9
                                  INI                                      1              1              0              6
                                  Standard ML                              2              0              0              4
                                  Lua                                      1              0              1              2
                                  SUM:                                 51464        2501512        3231949       13931085

                                  If someone else wants to run cloc on the chromium tree - I would love to see the complete output!

                                  1. 2
                                     ryzen chromium/src [287861b160] » time loc -uu
                                     Language             Files        Lines        Blank      Comment         Code
                                     C++                  51006     16769880      2144056      1660815     12965009
                                     Plain Text           52868      7840453       186175            0      7654278
                                     C/C++ Header         44407      6524647      1001316      1603227      3920104
                                     HTML                 67998      4149634       440243       206856      3502535
                                     C                     8773      4570335       541083       691917      3337335
                                     JavaScript           24789      4317194       494352       888292      2934550
                                     Python               12200      2650721       424870       258194      1967657
                                     JSON                  5696      1813849         2895            0      1810954
                                     Assembly              1561       975142        67340        23191       884611
                                     Java                  4417       967647       124617       191860       651170
                                     Hex                    351       602556            0            0       602556
                                     Objective-C++         3278       649941       100102        73113       476726
                                     XML                   2338       506560        38555        15844       452161
                                     Markdown              1910       263887        68139            0       195748
                                     GLSL                  6800       334925        46917       138825       149183
                                     CSS                   1729       120394        16977         8405        95012
                                     Makefile              1137       127804        16903        18113        92788
                                     Bourne Shell           821       126147        15239        22305        88603
                                     Perl                   196        88120         9900         8442        69778
                                     Objective-C            231        87862        11087         9129        67646
                                     Autoconf               367        69611         5883         7138        56590
                                     C#                     226        76446         7066        13049        56331
                                     Go                     115        55798         5386         5570        44842
                                     reStructuredText       299        55210        15199            0        40011
                                     INI                     25        41413         3327            5        38081
                                     Tcl                    134        39870         3773         6628        29469
                                     Protobuf               536        59063         8600        21791        28672
                                     PHP                    752        37499         3868         7485        26146
                                     YAML                   239        28976         2569          738        25669
                                     Yacc                    13        18205         1731         1457        15017
                                     Ruby                    36         6653          896          473         5284
                                     OCaml                   71         9685         1782         2796         5107
                                     Batch                  121         7016          991         1008         5017
                                     SQL                    145         4792          157          236         4399
                                     Lua                     31         4975          574          459         3942
                                     Sass                    35         3246          468          607         2171
                                     Lisp                    20         2594          291          441         1862
                                     TypeScript              34         3021          399         1067         1555
                                     TeX                      3         1875          286          238         1351
                                     Jsx                      5          849          112           60          677
                                     LinkerScript             3          584           15            0          569
                                     VimL                    13          774          117          191          466
                                     Swift                    2          469           53           58          358
                                     Awk                      2          291           53           55          183
                                     ASP.NET                176          176            0            0          176
                                     CUDA                     1          212           15           33          164
                                     R                        2          160           17           27          116
                                     Coq                      9           75            0            0           75
                                     Handlebars               7           70            4            0           66
                                     CoffeeScript             7           89           11           21           57
                                     ActionScript             1           75           18            0           57
                                     Prolog                   1           25            4            0           21
                                     Z Shell                  1           25            4           15            6
                                     Total               295938     54017520      5814435      5890174     42312911
                                    loc -uu  11.45s user 7.23s system 445% cpu 4.191 total
                                    1. 1


                                      whoa, I got 28,103,031 on chromium 61.0.3163.100! I wonder what the difference is - did you run depot-tools?

                                      1. 2

                                        I got 33 million with cloc earlier but don’t want to run it again to try to figure out what I’m either getting wrong or they’re ignoring. Was using my own thing: https://github.com/cgag/loc/

                                        Oh, I see you posted the output of cloc in another comment. I see I’m counting 7.6 million lines of plain text. I don’t know why I do that, but subtracting that out gets me down to 34 million which is reasonably close. Also finding far more HTML .

                                        I did use depot-tools, I think I’m at head.

                                        edit: I get a very similar count to tokei when I respect .gitignore like it does so I think mines reasonably accurate.

                                    2. 2

                                      So I got the output from chromium!

                                      So Electron (144,614) and Chromium (28,103,031) mean that electron’s “code base” is 28,247,645 lines of code long. 13.9 million more than a fairly feature complete OS!

                                      1. 1

                                        What is your point? You’re comparing a browser and an operating system (which is orders of magnitude larger and more complex).

                                        Electron is fast to run (even on older hardware and laptops) and easy to build apps with, Slack is a terribly built application but is still the only one people mention when talking about Electron.

                                        Granted, I would probably use a Gecko version of electron if I could, but I am not aware of any projects like that.

                                        1. 3

                                          (which is orders of magnitude larger and more complex).

                                          The point is that the browser is “magnitude larger and more complex” than a complete operating system. Electron is by no means fast to run, the memory usage is over the top and its not portable to systems they don’t support because of the enormous complexity.

                                          The way how electron is designed makes it impossible to have a shared runtime, which would reduce the amount of work to add electron based programs to distributions package managers or ports systems.

                                          Its not feasible to build a whole browser for each electron app.

                                          1. 1

                                            I’m confused, you say that Electron is larger, but the numbers you posted don’t follow that: Electron: 1610 files, 144614 LOC OpenBSD: 51464 files, 13931085 LOC

                                            Electron is by no means fast to run, the memory usage is over the top

                                            I’ll say it again, that is the individual application’s responsibility. Most JS devs don’t know how to be memory safe.

                                            not portable to systems they don’t support because of the enormous complexity

                                            This is a legitimate complaint, but is a solvable problem. It’s possible to support FreeBSD and OpenBSD in the near future (as far as I know).

                                            I’ll admit that a shared runtime would be advantageous from a package managment standpoint, but then you need the latest runtime for one app, but that breaks another and it becomes a big mess.

                                            1. 2

                                              Out of memory!800

                                              panic: POPSTACK

                                              while running cloc on chromium, it never finished.

                                              1. 1

                                                Why don’t you try running it on OpenBSD?

                                                1. 5

                                                  What? The post from @qbit includes cloc of the OpenBSD source tree and includes the attempt to run it on the chromium source.

                                                  The point is that chromium is too larger to even run cloc on it, while you can completely scan the OpenBSD tree.


                                                  1. 1

                                                    Oh, I misunderstood your first post, I didn’t understand that the tables were the output of cloc (I’ve never used it before). I see what your saying now, but my point still stands, JS devs are the problem, not Electron.

                                                  2. 2

                                                    Are you taking about electron or cloc of chromium? - because I have tried electron and that cloc cmd above was run on OpenBSD.

                                                    1. 1

                                                      See above.

                                            2. 3

                                              Yeah, my point is that an entire OS* src tree is orders of magnitude smaller than the chromium source (which is included when you build electron apps!!)!

                                              (*) With awesome things like:
                                              • acme client
                                              • perl
                                              • dns server
                                              • http server
                                              • dhcp server
                                              • clang
                                          1. [Comment removed by moderator pushcx: don't make "hate posts"]

                                            1. 4

                                              And Direct3D. But for an electron app it really is minimal: only 145.3 MiB on disk.

                                              1. 5

                                                A “minimal X app” generally means an app with a simple and straightforward interface, not an app that fits in 64kb.

                                                1. 3

                                                  I mean, you sort of need a browser to render markdown.

                                                  1. 3

                                                    Isn’t the point of markdown the ability to see ‘formatted’ text without rendering it as HTML? I’ve never really understood the value of these markdown editors, given that the most complex thing in MD seems to be lists

                                                    1. 4

                                                      What makes you think you need a browser for simple text formatting?

                                                      1. 8

                                                        Markdown has full support for inline HTML.

                                                        It’s even so central to the language that it’s literally the second section in the original markdown document

                                                        1. 3

                                                          Never saw this, but I guess that comes from all the different markdown flavors.

                                                          But ok, use electron for this and call it minimal, I don’t have to care if I don’t use it.

                                                          Edit: But using some webkit view from gtk or qt would make it less of a problem for me as someone who packages software for a linux distribution. Packaging electron apps is just not feasible because we need patches for it to support musl libc and building it over and over again for each electron app is just wrong.

                                                          1. 4

                                                            I find your comment particularly infuriating.

                                                            Your original post was a lowbrow dismissal of someone’s work couched with irony to provide plausible deniability. Even then, you knew it wasn’t the right thing to do.

                                                            You then showed that you hadn’t even bothered to understand the field before dismissing the project.

                                                            You then did another lowbrow dismissal comment, but then followed it up with an edit, in which you suggested:

                                                            1. the developer take a hard dependency and rewrite their entire software in one of two perennially buggy, flaky, fast-moving and platform-locked desktop linux frameworks, just because it would make your life as a linux software packager easier

                                                            2. it’s impossible to package electron apps because you have to do work to compile it and that makes you sad

                                                            I’m trying to imagine scenarios under which you could express more entitlement or lack of respect for people who actually do work, but they’re not coming to me. Additionally, if the job of packaging software is too hard for you, maybe stop doing it.

                                                            1. 6

                                                              After your edit this is a much more informative post than your top level one dissing the project. Perhaps you could lead with something more like this next time?

                                                              1. 3

                                                                To my understanding, though, there’s no good quick solution to package GTK and QT applications to OS X/Windows, which - to my understanding - is one of the main reasons people pick electron?

                                                                1. 1

                                                                  Edit: But using some webkit view from gtk or qt would make it less of a problem for me

                                                                  I maintain the OpenBSD port for ghostwriter, it’s pretty minimalistic and uses qt5 webkit view.

                                                              2. 2

                                                                There are much nicer ways to make a technical point than this. Please use one of them in the future.

                                                          1. 2
                                                            deny odedlaz as root cmd /bin/rm args .*\s+/$

                                                            Does that seem right?

                                                            doas /bin/rm -rf //
                                                            doas /bin/rm -rf / /tmp/whatever.txt

                                                            The gist is that sudo is hard to configure is it. doas might be slightly easier to configure for some cases, but it’s so easy to get these things wrong that I simply don’t recommend the use of sudo or doas or any similar tool to anyone for any reason.

                                                            setuid-root programs are dangerous. Heck, setuid-anyone programs are dangerous. These kinds of programs are very difficult to get right, so it makes sense to try and store all of the functionality and logic in a single place like sudo or doas, but I think it’s much too difficult for most programmers and worse still there’s simply no reason you need to use it.

                                                            SSH forced commands are better, and if you forward environment variables and write wrapper scripts, you’ll get an audit trail (which could potentially and trivially be on a separate machine if you have configured pam that way), and what’s more: it’s easy to get right.

                                                            1. 3

                                                              The gist is not only the easier configuration but also the small codebase, which should statistically reduce the amounts of bugs. (I’m talking about the original doas, I think the c++ author didn’t get the memo) How is ssh any better, doas has a really small codebase, the configuration is easier to write than wrapper scripts. And you can get the audit trail through syslog and/or bsd-auth or pam.

                                                              1. 2

                                                                How is ssh any better?

                                                                I assume I’ve already paid for ssh; I’m going to use it to reach the machine. The additional code is sudo/doas.

                                                                If you don’t need ssh (e.g. because you access via the console, via a physically connected terminal, or a terminal simulated via a hypervisor, or even via a separate management network) then I wonder why don’t you audit the use of your terminal server instead of trying to do it from the machine?

                                                                I’m talking about the original doas, I think the c++ author didn’t get the memo

                                                                It’s hard to otherwise talk about doas: OpenBSD isn’t an option for most of what I do, but yes: it looks a lot better than this. I’m talking about this article which purports to represent “doas”.

                                                                the configuration is easier to write than wrapper scripts

                                                                You’ll probably need to write wrapper scripts anyway. OpenBSD’s doas doesn’t have a particularly flexible configuration file format, and this one has such a horrible grammar that you’re likely to get it wrong as well.

                                                                But hey, you know bourne-shell already, so you’re probably likely to get your wrapper script correct.

                                                            1. 3

                                                              Given all the aspects in which it would seem to be technically superior, how come OpenBSD isn’t eating away at some of Linux’s market share?

                                                              1. 12

                                                                Network effects. Default choices. AWS launches with linux support, so people pick linux, then they pick docker, etc etc etc.

                                                                Linux does solve a great many problems that OpenBSD does not. (Well, it offers a great many features and buttons and such which look like solutions. :)) I’m not sure that one operating system that solves all problems is the best approach, though. there’s a lot of disagreement about how even a desktop OS should work and how components should fit together.

                                                                1. 5

                                                                  I had also heard that performance on newfangled hipster tasks (http service, MP scheduling, databases) was nontrivially worse, so I started trying to run an OpenBSD instance on AWS to run some side by side tests in order to invalidate those rumors. Apparently one guy once heard of a file you can UUCP from sunsite.unc.edu that enables 80-character mode so that you can give it a shot, but that was from a Byte magazine reader article so I cannot vouch for its veracity. I had to give up when my eyelids started twitching uncontrollably.

                                                                  The reputation for security doubtless partially stems from the fact that installing the thing requires delivering the One True Ring to a locked basement cabinet guarded by leopards in an abandoned mausoleum underneath a nuclear waste disposal site in Afghanistan. Minimization of attack surface and all that. Somewhere, a Haskell core developer is putting down his glasses and rubbing his eyes in admiration.

                                                                2. 9

                                                                  Hardware support is what keeps me from switching.

                                                                  1. 7

                                                                    And historically, perofrmance. I haven’t seen any good performance comparisons in the last few years (that I remember anyway), but several years ago there were several comparisons done that showed somewhat poor openbsd (and netbsd as I recall) scalability (multi-core performance, etc). Linux has often been one of the top performers in those types of benchmarks.

                                                                    Go fast until the wheels fly off?

                                                                  2. 5

                                                                    The following HN comment from Brendan Gregg might be worth a read. It’s answering in detail basically the same question, just for Illumos rather than OpenBSD: https://news.ycombinator.com/item?id=12837972

                                                                    1. 8

                                                                      The reply is a touch acerbic, but makes some good points too I think. Like why not just give up when linux is 1000 developers ahead? Because half of them are wasting their time inventing ten different tracing frameworks. Ok, admittedly it would be nice for openbsd to have one perf tool, but I think we’re not so far behind as it may seem.

                                                                      Also, for something like inteldrm, there’s a team of devs who keep churning the code, which causes kettenis some struggle when he tries to import it, but on the whole we get most of the benefits of that driver at a considerable manpower discount. The precise economics aren’t quite that simple, but not all of the effort spent on linux is locked in linux either.

                                                                      1. 3

                                                                        Sure, I agree on both of those points. Some effort will be wasted to duplication and churn, some will have little effect as it can be easily reused by other projects.

                                                                        But if the larger developer base is at all positive, it will add up over the decades. E.g. 20 years ago the common wisdom would have been that the BSD TCP stack was both battle hardened and state of the art, while the one in Linux was flaky and scaled badly with load. It’s definitely the other way around these days (to a different extent for different BSDs), with a steadily increasing delta. And then repeat the same story over dozens of subsystems.

                                                                        Clearly there are things that more manpower doesn’t help with. Like deleting code to reduce attack surface; I’m pretty sure that the larger the team, the harder that is to achieve :) It’s not that developers of non-Linux operating systems should just give up, or anything like that. But the assertion at the start of this thread on Linux’s technical inferiority doesn’t feel realistic to me.

                                                                        1. 2

                                                                          That interesting comment reminds me a lot of the Worse is Better effect that got UNIX to dominance in the first place. There were better systems including some focused on good docs, reliability, and high security. I write about them a lot. ;) They lost with them being in close to legacy mode or gone depending on the product/project. The Linux situation, esp as Brendan Gregg describes it, looks like a repeat of that with Linux doing it to the other UNIX’s. I already knew this seeing the likes of SGI, IBM, and Oracle get on the Linux bandwagon despite having proprietary UNIX’s to push. In contrast, OpenBSD is trying the UNIX version of The Right Thing. It will fail in broad sense because that always happens.

                                                                          It’s destined to a niche of those that care about The Right Thing. You’ve all done a great job keeping it up despite your filter on the kind of contributors you accept and not giving into market’s crap that much. I saw Theo backtrack a bit with VMM admitting OpenBSD might have to do a little more for marketability. Still, the project will probably need a like-minded sponsor with lots of money and/or talent to break past what we’ve seen so far since The Right Thing is always swimming upstream vs Worse is Better which sometimes creates tsunami’s. Those of us focused on quality might always be also-rans in larger scheme of things. (shrugs)

                                                                      2. 5

                                                                        Linux is easier to use.

                                                                        How do you search for a package in OpenBSD? How do you get a description in your search results? You can search package names by downloading the index.txt file from the packages directory on a mirror. But anything more sophisticated you have to use the ports tree and the janky makefile system with non-intuitive syntax and cryptic errors to do any interesting searches.

                                                                        It’s actually possible to download and install a Linux distro that comes with a desktop environment, installs quickly, and works fine right away. When I was first getting into non-Windows operating systems in middle school, I tried out OpenBSD because the whole secure OS thing sounded cool to me. I screwed with it for hours, felt like I was getting nowhere, then gave up and installed Linux Mint.

                                                                        I run OpenBSD now, but I’m also a systems programmer / SRE at a database company, so I’m not exactly an “average user” that represents the trend of the market.

                                                                        1. 6

                                                                          pkg_info -Q is what you want. That said - it looks like it doesn’t respect the -d or -c flags (I have a diff to make it work with it though)

                                                                          1. 3

                                                                            yep. i use pkg_info, i browse the ports mailing list, read the website, and also look at my mirror of choice from time to time.

                                                                            i just use cwm that’s in base. i had previously used gnome and xfce from packages. i reckon my willingness to read documentation mostly gets me to where i need to be… other things figured out by trial and error, mailing list, and searching the internet.

                                                                            1. 2

                                                                              You make it seem like reading the documentation is a bad thing? This should be the preferred approach.

                                                                              On linux the preferred approach is asking half assed questions on stack overflow.

                                                                              1. 1

                                                                                i don’t think it’s a bad thing. i’m implying that everyone saying openbsd is difficult to install or use aren’t reading these things and i don’t really understand why.

                                                                            2. 2

                                                                              Ahhhh. I’m somewhat amazed that I didn’t know that. But I will still call it unintuitive. See, I expected something like pkg_search, or to find something searching for “search” in man pkg_info. Searching “OpenBSD search for package” on Google returns a bunch of ancient results about ports. It IS mentioned in the packages FAQ though, but the preview text on Google mentions ports specifically. So I must have searched for it, seen those results, rolled my eyes, looked in the man pages, seen nothing, and decided to just download the index file.

                                                                              Compare to most Linux package managers, which when run with no arguments tell you the commands to install and search. The word “search” specifically is much more well known than “query” because of Google.

                                                                              So even though I’m a bit lazy and it’s clearly my fault for not knowing this as a sophisticated user, I think helping rather than blaming the user isn’t the right strategy towards getting adoption. Linux is really good about that, OpenBSD not so much.

                                                                              1. 2

                                                                                or to find something searching for “search” in man pkg_info.

                                                                                Query is close. I guess it’s a difference in terminology.

                                                                                Searching “OpenBSD search for package” on Google

                                                                                This seems to be a common trend among Linux users, google is consulted with more authority than local documentation. I personally do the same thing.. when finding issues with linux machines I always go to google first.. the crap documentation (often lacking entirely) has trained me to do so!

                                                                                I think helping rather than blaming the user isn’t the right strategy towards getting adoption. Linux is really good about that, OpenBSD not so much.

                                                                                Where was there lack of help and who is doing blaming?

                                                                                1. 3

                                                                                  I realize query and search are close, but search is definitely the layman terminology.

                                                                                  Googling isn’t just a Linux strategy, that’s what Windows and Mac users do too. Apple in particular is pretty good about making their support pages show up on Google.

                                                                                  I didn’t originally mean people blaming the user directly, but rather a UX that “blames the user” in its design, and for OpenBSD I mostly see this in docs or commands. Not being able to find the -Q flag in the man page by searching (querying?) for search is poor UX. It implicitly becomes the users fault for not reading the whole manual. There are no examples either, where surely a common operation like search would be demonstrated. And OpenBSD commands don’t self document or provide assistance, whereas Linux commands will often list the most common usage if you don’t type a valid command. Using OpenBSD feels a bit RTFM, wheras on Linux stumbling around in an interactive session is much more viable, as most things try and point you in the right direction.

                                                                                  This goes both ways, on OpenBSD it’s way more likely that if you can’t figure something out, it actually is documented somewhere. But that documentation could be more accessible and searchable.

                                                                                  But also user blaming happens directly on misc@. I am part of no other community that ever makes me think “wow these people are such outrageous stuck up assholes, I’m not even sure I want to be a a part of this anymore.” Mostly OpenBSD people are intelligent, articulate, and kind. For example, I’ve had nothing but good experiences talking with OpenBSD folks on lobsters. But wow some of the stuff on misc makes my blood boil.

                                                                                  I’ve considered contributing to OpenBSD docs to make them more accessible, especially FAQs / new user guides, but my experiences on misc have always stopped me. I worry that I’ll be shot down for going against the OpenBSD philosophy, and I won’t even be rightly told why, just be told I’m a moron. It sucks, because I love OpenBSD and I want to share it and make it easier for people to learn about, but I feel discouraged from contributing.

                                                                                  1. 1

                                                                                    again i feel the direct opposite here.

                                                                                    i was able to find everything i needed without asking for help and without googling for the most part.

                                                                                    still don’t understand how you missed -Q in the pkg_info man page because it’s right at the top in synopsis.

                                                                                    maybe i’m a stuck up asshole too.

                                                                                    1. 1

                                                                                      maybe i’m a stuck up asshole too.

                                                                                      I don’t think so.

                                                                                      still don’t understand how you missed -Q in the pkg_info man page because it’s right at the top in synopsis.

                                                                                      I wanted to search, I scanned the first line for search, /searched for search, moved on. I’m just too impatient. But a lot of people are too impatient, and worse a lot of people just don’t care enough to persist.

                                                                                      1. 1
                                                                            3. 3

                                                                              i’m an average to below average user and i use openbsd as my daily driver.

                                                                              i don’t program and my knowledge of computers is intermediate at best.

                                                                              i also work in a non-tech field.

                                                                              i think it’s the easiest and most straight-forward OS to use.

                                                                              so, obviously i disagree with this.

                                                                              1. 3

                                                                                I wonder what you’re doing on lobste.rs :)

                                                                                1. 2

                                                                                  Interesting! So, how do you look for packages you need to install? How’d you get going with a desktop environment?

                                                                              2. 3

                                                                                The file system isn’t great…

                                                                                1. 11

                                                                                  Please. Greatest filesystem of the 80s. Best decade, best filesystem.

                                                                                  1. 2

                                                                                    That was Files-11 on OpenVMS with versioning and stuff. Especially integrated with high-uptime stuff like clustering and distributed lock manager. Or NonStop’s Guardian with its crazy reliability. Or first system (SCOMP) certified to high security that added ring and segmented protection to them with system-wide security policy.

                                                                                    I do agree it was one of best decades for applied IT with all kinds of awesome shit happening based on what CompSci had worked on in 1960’s-1970’s with better hardware available. A lot of things started coming together that couldn’t before.

                                                                                2. [Comment removed by author]

                                                                                  1. 8

                                                                                    Or they need to run certain applications that are only available on Linux, or they need drivers that are only available on Linux, or they want a filesystem that has more features than UFS/FFS, etc.

                                                                                    OpenBSD picked a niche and perfected itself in that niche. I think it is a shining example that picking one problem and solving it well, is often better than being a jack of all trades, master of none.

                                                                                    (Which does not mean that it cannot be used as a general purpose OS with some care.)

                                                                                    1. 6

                                                                                      Even as someone who likes the FSF, I doubt many Linux users are there because of (rather than despite, or indifferent to) the GPL. It’s not hard for me to imagine an alternate universe without the BSD lawsuits where FreeBSD or something got popular as the mainstream free hobbyist Unix in the 1990s, and I seriously doubt FSF diehards would have been able to keep more than a handful of people from going with that bandwagon, had it developed (and had they actually wanted to).

                                                                                    2. 1

                                                                                      Same reason as many other similar situation throughout the industry. People know something else, a lot is built on other systems, marketing, and once you have a certain amount of people using tech X it’s really hard to use something else.

                                                                                      Another side effect that kicks in with Linux Distributions, Operating Systems and Programming languages is that at many places if you introduce a technology that isn’t the currently dominant one you will be personally blamed for every single bug or different obstacle it has. It will often be blamed on it, despite also existing on the dominant OS.

                                                                                      Something related is that sadly a lot of software that companies and people end up using at some point is written in unnecessarily non-portable ways. I once worked at a company that used a software running a bash script (stored inside a string in a program) and it had a typical non-portable #!/bin/bash instead of #!/usr/bin/env bash. As usually I’d report that and even create a pull request on a huge (in terms of stars, in the tens of thousands) and very hyped software, expecting it would be accepted. After being baffled that the authors didn’t even know about /usr/bin/env and what it does, a link to Wikipedia didn’t help either the conversation stalled. Since that project was being used by the front end developers I kept patch sets for such things around.

                                                                                      And while those tiny things are really not hard in general these tiny things add up. I know the problem even exists if you don’t use Ubuntu, but for example Alpine in the Linux world.

                                                                                      Having these kind of portability issues leads to the dominant technology in a field to quite often not be the best. The most famous example is how long Internet Explorer stuck, despite Opera and the Mozilla browser, until Firefox came along.

                                                                                      When there is a lot of users and developers even pretty bad technology can stick, because there will be widely used workarounds for problems, there will be progress on fronts, even when the architecture is flawed, etc. Change is rarely that quick, especially when many parties are involved and put their money and effectively lives on it.

                                                                                      Of course that doesn’t mean that Linux is bad and OpenBSD is great, just that technical superiority or being a bit better than others usually is far from a good indicator for dominance in a field. Especially if marketing and politics have a big presence, but even without. People simply need to have heard of it and a good reason to switch and get into something new to them and settle there. When there is no direct financial effect, that is significant enough people tend to not just switch utilities from one moment to the next. And even when you know OpenBSD really well and are convinced its better introducing that in an existing company might not be an option. Of course you can always switch, but why give up a safe, well-paying job with great coworkers for an operating system?

                                                                                      1. 1

                                                                                        Docker / namespaces

                                                                                      1. 6


                                                                                        /* Just a safe strncpy(3) */
                                                                                        static void
                                                                                        xstrlcpy(char *dest, const char *src, size_t n)
                                                                                        	strncpy(dest, src, n - 1);
                                                                                        	dest[n - 1] = '\0';
                                                                                        xstrlcpy(cmd + strlen(cmd), newpath, strlen(newpath) + 1);
                                                                                        xstrlcpy(buf + strlen(buf), fpath, strlen(fpath) + 1);
                                                                                        1. 2

                                                                                          Very small nitpick: this only works if /bin/sh is bash (or something that supports $((...))). Works like a charm after telling it to run with bash.

                                                                                          I missed the original sct thread, and redshift felt heavy, so this little script + sct will be of great use to me. Thanks!

                                                                                          1. 4

                                                                                            Piling on the nitpick wagon, error messages should go to stderr rather than stdout:

                                                                                            - echo "Please install sct!"
                                                                                            + echo >&2 "Please install sct!"
                                                                                              exit 1;
                                                                                            1. 2

                                                                                              FWIW, dash handles this properly as well:

                                                                                              % file /bin/sh
                                                                                              /bin/sh: symbolic link to dash
                                                                                              % sh
                                                                                              $ echo $((1440 - 720))

                                                                                              OpenBSD’s ksh, same goes for zsh:

                                                                                              $ echo $((1440 - 720))

                                                                                              So I guess on the majority of systems you’d run X on, this won’t be an issue ;)

                                                                                              Now, my own nitpick - I’ve ran shellcheck and fixed some warnings:

                                                                                              # Copyright (c) 2017 Aaron Bieber <aaron@bolddaemon.com>
                                                                                              # Permission to use, copy, modify, and distribute this software for any
                                                                                              # purpose with or without fee is hereby granted, provided that the above
                                                                                              # copyright notice and this permission notice appear in all copies.
                                                                                              # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
                                                                                              # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
                                                                                              # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
                                                                                              # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
                                                                                              # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
                                                                                              # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
                                                                                              # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
                                                                                              SCT=$(which sct)
                                                                                              if [ ! -e "$SCT" ]; then
                                                                                                  echo "Please install sct!"
                                                                                                  exit 1;
                                                                                              setHM() {
                                                                                                  H=$(date +"%H" | sed -e 's/^0//')
                                                                                                  M=$(date +"%M" | sed -e 's/^0//')
                                                                                                  HM=$((H*60 + M))
                                                                                              if [ $HM -gt 720 ]; then # t > 12:00
                                                                                                  for _ in $(jot $((1440 - HM)));  do
                                                                                              else # t <= 12:00
                                                                                                  for _ in $(jot $HM); do
                                                                                              while true; do
                                                                                                  if [ $HM -gt 720 ]; then
                                                                                                  $SCT $S
                                                                                                  sleep 60

                                                                                              Also note that on linux systems, the jot binary is often not available (I just discovered it today, it’s an OpenBSD utility). At least on void linux one can install it with the outils package.

                                                                                              Either way, very useful - no need to run sct by hand now :)

                                                                                              1. 2

                                                                                                Odd, my dash at home barfed on the script. I now checked again, and it errors out on function setHM { .. }: it wants setHM () { ... } instead.

                                                                                                Not quite sure why I remember $((...)) being a problem…

                                                                                                1. 1

                                                                                                  function, even though technically a bashism, originated in ksh.

                                                                                                  In terms of $((...)) being a problem, you are most likely referring to ((...)) which is indeed a bashism. Alternatively, you might have come across ++ or -- in $((...)), which are not required by POSIX.

                                                                                                2. 1

                                                                                                  for _ in $(jot $((1440 - HM))); do

                                                                                                  huh, I had no idea _ was a thing, neat!

                                                                                                  1. 1

                                                                                                    $_ holds the last argument of the preivously run command. Overwriting it does no harm here and in similar places, so I occasionally make use of it (both to silence shellcheck and to signal the value won’t be used). It’s possible though some folks might object :)

                                                                                                  2. 1

                                                                                                    Also note that on linux systems, the jot binary is often not available (I just discovered it today, it’s an OpenBSD utility).

                                                                                                    You can use seq instead of jot on linux.

                                                                                                  3. 1

                                                                                                    In similar vein, I’d suggest to replace [ with [[ because the latter is a bash/zsh/dash builtin.

                                                                                                    1. 1

                                                                                                      Its a myth, you can check it with type [, both are builtin, [[ is only available in larger shells, [ is POSIX. The [ should be preferred for #!/bin/sh portability.

                                                                                                    2. 1

                                                                                                      $((…)) is very much POSIX.

                                                                                                    1. 5

                                                                                                      lr is a easy to use alternative with an expression language.

                                                                                                      1. 7

                                                                                                        To echo the problems described in the article with small Linux distros: there’s this huge problem with not enabling localization (I speak English, and pretty much only English, so yay for me, but I could see it being a problem for others), and not including all documentation.

                                                                                                        I can’t remember if it was Alpine or Void, but one of them either doesn’t include the man command in the default installation or doesn’t have man pages for the default package manager, or both, I can’t remember. Obviously a problem. And nothing is more irritating than reading a man page, seeing “look at /usr/share/docs/FOO” and there being nothing in /usr/share/docs.

                                                                                                        (And don’t even get me started on texinfo. That shit needs to die.)

                                                                                                        1. 3

                                                                                                          Void comes with man pages and mdocml.

                                                                                                          1. 3

                                                                                                            Alpine has no man by default, though easily installed. I gave up shortly after, though, upon discovering there’s no xterm package.

                                                                                                            1. 1

                                                                                                              Seems to be on the community repo: https://pkgs.alpinelinux.org/packages?name=xterm

                                                                                                            2. 1

                                                                                                              l10n is definitely on my radar, but it’s a bit of a head scratcher wrt how to implement it correctly in-line with the principles of the distro. I don’t want to include anything on your system you’re not actually using, like l10n for langauges you don’t speak.

                                                                                                            1. 6

                                                                                                              Somebody stole my idea! (To use kqueue to track processes.)

                                                                                                              1. 1

                                                                                                                Where do they talk about that?

                                                                                                                By “track processes”, do you mean to get notified of process completion?

                                                                                                                1. 1

                                                                                                                  See for instance. https://github.com/immortal/immortal/blob/master/watchpid.go

                                                                                                                  Mentioned in the manual: https://immortal.run/post/immortal/

                                                                                                                  But they don’t really do everything I was imagining, so my plan is still safe. :)

                                                                                                                  1. 2

                                                                                                                    OK, but isn’t the entire point of that kqueue feature to track process completion? I don’t understand what “your idea” is.

                                                                                                                    On Linux you can do this with signalfd: http://man7.org/linux/man-pages/man2/signalfd.2.html

                                                                                                                    But as far as I know, the self-pipe trick works just fine if you only assume POSIX APIs: https://cr.yp.to/docs/selfpipe.html

                                                                                                                    1. 1

                                                                                                                      I don’t see how you can use signalfd(2) for this, kqueue(2)s EVFILT_PROC is something completely different. The CONFIG_PROC_EVENT and CONFIG_CONNECTOR stuff on linux would be comparable.

                                                                                                                      1. 1

                                                                                                                        What is the idea behind EVFILT_PROC? I assumed that because kqueue is for async I/O, it delivers notice of process completion (SIGCHLD) over a file descriptor.

                                                                                                                        When you use the self-pipe trick, you’re registering a signal handler that delivers process completion notification to your event loop via a file descriptor. It’s basically unification of waiting for I/O events and waiting for signals.

                                                                                                                        1. 1

                                                                                                                          The proc filter returns events for processes, but there’s no file descriptor involved.

                                                                                                                          1. 1

                                                                                                                            OK, but I still fail to see anything new in immortal or anywhere else. All these kernel features were added explicitly for this use case – waiting simultaneously for file descriptors and process completion. In other words, more naturally integrating event loops and process completion events.

                                                                                                                            Some high level async APIs have missed this, since they were geared toward networking, like Tornado. But Twisted has had it for decades, and node.js has had it since the beginning too. libuv must do it under the hood.

                                                                                                                            1. 1

                                                                                                                              Looking at it again, it doesn’t even do supervision like its known from daemontools, calling it “supervisor” is confusing. Thats why it can’t use SIGCHLD and why it uses kqueue(2)s NOTE_EXIT, just look at the linux WatchPid function which just shows the completely uselessness. https://github.com/immortal/immortal/blob/a05a0dddc688902653d092bf8d3826a3cd1d0977/watchpid_linux.go

                                                                                                                              kqueue(2)s EVFILT_PROC can be used if the service “daemonizes” which makes real supervision impossible.

                                                                                                                              edit: maybe it does daemontools like supervision, https://github.com/immortal/immortal/blob/08e38b25b81de3650bfe99a2bb782beaaa40b91b/process.go#L100 its hard to follow the code.

                                                                                                                2. 1

                                                                                                                  What was your idea behind :-) maybe we could implemented it, currently I found very nice to use Kqueue when following the PID mainly because I don’t have to do any long pooling for checking the status of the PID, but curious to know about what more could be improved/implemented.

                                                                                                                  1. 1

                                                                                                                    I’m using kqueue NOTETRACK and NOTEFORK to watch for all the children. Doesn’t look like immortal does that? If I kill a daemon, I (sometimes) want to kill all the forked processes.

                                                                                                                    1. 1

                                                                                                                      Right, Immortal is only using NOTE_EXIT to check the status of a process that was not originally created by immortal, basically only used when using the -f option to follow the pid.

                                                                                                                1. 6

                                                                                                                  Sometimes it’s impossible to forbid users from calling close themselves. For this reason it’s hard to build correct thin abstraction layers on top of epoll.

                                                                                                                  Man, this is the leakiest abstraction.

                                                                                                                  I happen to like using kqueue, and I’ve definitely written code which absolutely depends on close -> unregister. It could probably be dealt with, but certainly annoying.

                                                                                                                  1. 1

                                                                                                                    I actually tried it with code you wrote, never finished it because it was really bad. https://github.com/Duncaen/openrebound/blob/master/libopenbsd/kqueue_epoll.c I think i stopped when i realized that i cant really close the sockets and then replaced the close calls with shutdown to close them later somewhere.

                                                                                                                  1. 1

                                                                                                                    The main issue with this is that it doesn’t even get basic features like continuing a aborted queue right,a well designed alternative would be https://github.com/chneukirchen/nq

                                                                                                                    1. 1

                                                                                                                      What do you mean by continuing an aborted queue? There is an option resumeAfterStart, which defaults to False to avoid mistakes.

                                                                                                                      1. 1

                                                                                                                        Keeping the state of queues not only inside the memory, in case your daemon or your OS dies. nq creates simple files in a directory for each queued command, every time something is done it removes the executable bit from this file. This allows to reuse queues by chmod +x ,* and then restarting nq. And it allows multiple queues, each queue has its directory, not just one daemon.

                                                                                                                    1. 7

                                                                                                                      It sounds like what you really need for this to be usable on Linux is an implementation in userspace of pledge() (still implemented using seccomp() for the actual filtering itself) which is provided by your libc and therefore has at least a snowball’s chance of correctly knowing what syscalls correspond to what operations.

                                                                                                                      That wouldn’t suffice for software that invokes syscalls directly, without libc. I imagine a more complicated mechanism might work though: each piece of code that will invoke syscalls directly (e.g. libc, Go stdlib, etc) needs to also have in its API somewhere a function that spits out BPF fragments that can be chained together to take their union and then passed into seccomp().

                                                                                                                      1. 1

                                                                                                                        The problem with a pledge implementation in the linux userspace is that seccomp(2) rules are inherited by child processes executed with execve(2).

                                                                                                                        1. 1

                                                                                                                          Isn’t that exactly the behaviour which I want? It’s not a very good sandbox if I can break out of it by execve()ing something. In all of the practical use cases I can think of for sandboxing, if you’re going to fork() or execve() then you do so at the same time as reading your config files and then you impose the sandbox on yourself afterward.

                                                                                                                          Edit: if inheritance isn’t what pledge() itself does then the sandbox would have to be given a different name for clarity’s sake, of course.

                                                                                                                          1. 1

                                                                                                                            Yes new processes executed with exec are not pledged, see the exec promise in pledge(2). This makes it easier to pledge everything, with seccomp you would need very broad rules for programs like sudo, doas or sshd. pledge limits the impact of code execution vulnerabilities in the pledged executable, seccomp is more like a sandbox.

                                                                                                                      1. 1

                                                                                                                        So you could use this instead of X so long as clients target yaft? I see it supports OpenBSD even…

                                                                                                                        1. 3

                                                                                                                          Clients? Its a terminal emulator.

                                                                                                                          I prefer fbpad and a few other framebuffer tools (image viewer, pdf viewer) from https://litcave.rudi.ir/. And mpv with drm output.

                                                                                                                          1. 1

                                                                                                                            I thought it was like the linux framebuffer which (eg) mplayer and sdl can target.

                                                                                                                        1. 9
                                                                                                                          [ -d "${JOURNAL_DIR:=~/journal}" ] || mkdir -p "${JOURNAL_DIR}"
                                                                                                                          while getopts "d:" opt; do
                                                                                                                              case "$opt" in
                                                                                                                              d) DAY=$OPTARG ;;
                                                                                                                              *) printf "usage: ${0##*/} [-d dd.mm.yyyy] [ls|read|write]\n"; exit 1 ;;
                                                                                                                          shift $((OPTIND-1))
                                                                                                                          : ${DAY:=$(date +%d.%m.%Y)}
                                                                                                                          case "${1:-write}" in
                                                                                                                          ls) ls -1 "${JOURNAL_DIR}" ;;
                                                                                                                          read) ${PAGER:-more} "${JOURNAL_DIR}/${DAY}" ;;
                                                                                                                          write) ${EDITOR:-vi} "${JOURNAL_DIR}/${DAY}" ;;
                                                                                                                          *) false ;;
                                                                                                                          1. 2

                                                                                                                            For some reason this script creates a directory named ~; doing $HOME instead of ~ makes it work as expected for me (using dash as my /bin/sh)

                                                                                                                            [ -d "${JOURNAL_DIR:=$HOME/journal}" ] || mkdir -p "${JOURNAL_DIR}"
                                                                                                                          1. 3

                                                                                                                            I use AddKeysToAgent yes in my ssh_config to add the keys automatically to the agent after using the key.

                                                                                                                            1. [Comment removed by author]

                                                                                                                              1. 1

                                                                                                                                There is support for void linux since the last release (https://github.com/saltstack/salt/commit/f58cdda0868c18cd3f1bf8d3cfee427a8b2f6399).