1. 18

    I no longer believe that daemons should fork into the background. Most Unix systems now have better service control and it makes the code easier to deal with if it doesn’t call fork(). This makes it easier to test (no longer do you have to provide an option not to fork() or an option to fork()) and less code is always better.

    1. 6

      Not forking also allows logging to be an external concern and the process should just write to stdout and stderr as normal.

      1. 1

        This is not so much about the forking per se, but rather the other behaviour that generally goes with it: closing any file descriptors that might be connected to a controlling terminal.

      2. 4

        OpenBSD’s rc system seems to expect that processes fork. I don’t see an obvious workaround for processes that don’t fork.

        1. 3

          It’s not that hard to write a program to do the daemonization (call umask(), setsid(), chdir(), set up any redirection of stdin, stdout and stderr, then exec() the non-forking daemon.

          1. 2

            It’s even simpler when you have daemon(3): http://man7.org/linux/man-pages/man3/daemon.3.html

            1. 1

              Which you do on OpenBSD, actually.

              Note that daemon(3) is a non-standard extension so it should be avoided for portable code. The implementation is simple enough, though.

          2. 2

            I’m not sure this is accurate, at least on -current. There are several go “deamons” that as far as I understand don’t support fork(2). These can still be managed by OpenBSD’s rc system:

            # cd /etc/rc.d
            # cat grafana                                                                                                                                                                                                  
            #!/bin/ksh
            #
            # $OpenBSD: grafana.rc,v 1.2 2018/01/11 19:27:10 rpe Exp $
            
            daemon="/usr/local/bin/grafana-server"
            daemon_user="_grafana"
            daemon_flags="-homepath /usr/local/share/grafana -config /etc/grafana/config.ini"
            
            . /etc/rc.d/rc.subr
            
            rc_bg=YES
            rc_reload=NO
            
            rc_cmd $1
            

            I’m not sure if there’s more to it that I don’t understand, I don’t write many deamons!

            1. 1

              Well, it turns out, I can’t read! The key to this is rc_bg, see https://man.openbsd.org/rc.subr#ENVIRONMENT

          3. 1

            For those that don’t know, daemontools is a nice service system that explicitly wants programs to not try to daemonize themselves. For services I build and run I try to use that.

          1. 3

            Yup. I run OpenBSD on all my computers at home (laptop + desktop) and I use it for all my VPSs (smtpd, httpd). At work I have a mac because reasons, but I much prefer my OpenBSD systems. Why?

            For (some of these are true of linux as well):

            • Upgrades are painless and infrequent (2 times a year on release)
            • Updates are painless and infrequent (syspatch)
            • Default out of box install uses minimal resources
            • No forced UI changes – I run a minimal desktop manager, it rarely changes
            • Tons of pre-built applications available via pkg_add
            • Performs really well on older hardware (up to a point)
            • Excellent documentation
            • So easy to install (assuming you don’t have any funky hardware or BIOS problems)
            • Sane defaults (example, if you install a server package (redis, mysql, postgres, influx, etc) it’s only going to listen on 127.0.0.1 unless you explicitly tell it to listen on other interfaces, or it’s required for the server to function e.g. samba)
            • includes modern daemons for standard stuff like smtp, http, ntp, dns, dhcp, ipsec and more

            Against:

            • People sometimes complain about performance (network if your hardware is poorly supported, NFS in a mixed environement, ie.. NFS server on linux / freebsd with client on OpenBSD or vice-versa, general performance vs linux – I don’t really notice since I only use OpenBSD, and it always seems to just get faster)
            • Packages aren’t always the most up to date (unless you’re running -current)
            • Mailing lists can be abrasive
            • Not as much hardware support as linux

            I’m sure there’s more, but those are the things I really appreciate about OpenBSD.

            1. 1

              I have a question on packages. Do you use the M:Tier ones? If so how up to date/stable are they? Eg. when something is in ports is it quickly available there? Do you know if it’s hours, days, weeks or more?

              1. 1

                I don’t use them, no. I run -current on my primary machine, so packages are updated as soon as the updates are built and propagated to the mirrors. On my other machine, I’m ok being a bit out of date.

            1. 4

              No mention of gopher clients! How are you supposed to see other people’s posts? I found this one: http://gopher.quux.org:70/devel/gopher/Downloads/ which seems to work pretty well. I remember back in the day firefox/netscape used to support gopher:// url’s but pretty sure that’s no longer the case.

              1. 5

                I use OverbiteFF on Firefox. Lynx also supports gopher. But where was the author’s gopher site? If it’s so easy (and it is [1]) why did he not do it himself? Seems odd.

                [1] Not only do I run gopher but I wrote my own server, mainly to serve up my blog.

                1. 5

                  The original article is posted on gopher here: gopher://sdf.org/0/users/dbucklin/posts/how_gopher.txt

                  Lynx is a fantastic gopher browser and there are several new ones also in active development. There’s sacc(1) from the folks at bitreich.org and also VF-1 if you prefer more of a REPL style interface.

                  1. 3

                    I’m going to take this rare opportunity to plug my gopher client: https://github.com/enkiv2/misc/blob/master/ncgopher.py – not because it’s particularly good, but because it’s a good illustration of how straightforward a featureful gopher client is to write.

                    I’m aware of a couple people on mastodon making much more polished & featureful clients. I can’t remember their names offhand, unfortunately.

                2. 4

                  You can use elinks, lynx, cgo, sacc (that you can try via ssh at ssh://kiosk@bitreich.org), clic, curl to download…

                  Most browsers can start an external program after downloading a file, (xdg-open by default). Gopher has text-menu but is not text-only.

                  Even plain netcat/telnet, given how simple is the protocol. If all you want is getting a document from gopher: printf '/0/%s\r\n' "$url" nc "$host" 70 > file.

                  Firefox dropped the gopher:// protocol support. moz :/ la…

                  1. 4

                    Indeed it isn’t (and I think even the Firefox add-ons that added back support don’t work anymore…)

                    Haiku’s network protocol client layer has first-class Gopher support, and since our WebKit port uses our internal protocol stack, you can browse Gopher in WebPositive.

                  1. 1

                    This is so cool!

                    1. 4

                      Been reading Oryx and Crake by Margaret Atwood… dystopian sci-fi… so far, I’m quite fond of it.

                      1. 4

                        Ooh thanks for that. Just finished the recent remake of A Handmaid’s Tale and first read the book just a few years back. She’s amazing. Will definitely look that up.

                        1. 3

                          Read the sequels. I think the whole trilogy is quite good.

                        1. 5

                          Another small bug on http://www.openbsdjumpstart.org/#/24:

                          # For example, tune ntpd(8) to try to set the time immediately at startup:
                          /usr/sbin/rcctl enable ntpd
                          /usr/sbin/rcctl set apmd flags -s
                          /usr/sbin/rcctl restart ntpd
                          

                          That second rcctl should be for ntpd, not apmd.

                          1. 1

                            Corrected, thank you very much!

                          1. 2

                            I’ve worked in both Agile (SCRUM) and “whatever you call what we did before” environments, and to me Agile is definitely an improvement. I don’t think it’s the best of all possible solutions to the problem of developing software, but it’s pretty good at what it does if it’s used properly. One thing that I find it doesn’t do well is give the team enough of a voice into what the product needs. I guess technically the team is one of the stakeholders and so they can negotiate with the PO to get their needs put into the backlog, but… sometimes you want to be able to fix something w/out having to create a backlog item, and then talk to the PO about it, and then groom it, and then get it put into a sprint to be worked on. I’d like to think that at some point a team reaches a state of maturity where the PO is just communicating business goals to the team, and shielding the team from interruption while the team figures out what they need to do to meet the business goals, and then does it.

                            1. 1

                              Just came across this magazine today. It looks really good!

                              1. 4

                                For further reading I recommend The Phoenix Project, its a great book

                                1. 4

                                  Also, Slack by Tom Demarco (one of the author’s of Peopleware) talks directly about this issue, though not as entertaining as The Phoenix Project.

                                1. 2

                                  Great reminder to donate again!

                                  1. 7

                                    It’s year 2044, WhopperCoin™ are the dominant currency in our new socialist society we buy burgers and then get even more WhopperCoin™.

                                    We are unfortunately ruled by the “Burger King”.

                                    He who controls the burgers controls the universe.

                                    1. 1

                                      Strange, I was pretty sure Taco Bell won the restaurant wars…

                                    1. 4

                                      I’d love to hear one on the BSD ports tree.

                                      1. 2

                                        Better yet, one for each BSD packaging system!

                                      1. 1

                                        I have to admit, I’m a bit skeptical about “web security checklists” which don’t even mention OWASP. I’d have other criticisms of the article as well, but I’m not sure it’s worth going through them.

                                        1. 2

                                          Overall the checklist seems pretty useful from the “covering your bases” point of view. The major components seem to be covered, but I’m not a security expert. What are your other criticisms, if you don’t mind sharing.

                                          1. 2

                                            I wouldn’t say it’s a very high-quality list - seems pretty light on actual details. Not referencing OWASP is a bit of a red flag, because at least in my world, it’s pretty well respected (although out of date on some things).

                                            Here’s a few specifics, though:

                                            If you have drunk the MVP cool-aid and believe that you can create a product in one month that is both valuable and secure 

                                            That’s really not what MVP is about. Creating an MVP without security shouldn’t equal “creating a product”. Also, “MVP cool-aid”? Hmm.

                                            Use encryption for data identifying users…

                                            Eh? What? Like user IDs or usernames?

                                            … and sensitive data like access tokens, email addresses or billing details if possible (this will restrict queries to exact match lookups).

                                            Encrypt access tokens? And I really don’t understand what is meant by “restrict queries to exact match lookups” in the context of encryption.

                                            Fully prevent SQL injection by only using SQL prepared statements.

                                            SQL injection isn’t “fully” prevented by prepared statements, but they do help a lot.

                                            Implement simple but adequate password rules that encourage users to have long, random passwords.

                                            Random is really necessary. And even simple rules are frequently prohibitive.

                                            Consider CAPTCHA on front-end APIs

                                            Eh?

                                            While security through obscurity is no protection, using non-standard ports will make it a little bit harder for attackers.

                                            “While security through obscurity is no protection, do it anyway”.

                                            Always use AWS IAM roles and not root credentials.

                                            Unless you’re not using AWS.

                                            My reply is already long enough, so I’ll stop now. I’ve probably been overly critical, but the initial feeling I had wasn’t too great. It would also have been nice for there to be some links to more details about all of these points - a lot of people aren’t going to know about X-XSS headers, IDSes, etc etc.

                                            1. 1

                                              Cool, thanks for elaborating.

                                          2. 2

                                            It’s nice to name drop, but I’m not sure OWASP is especially important. I mean, literally, I’m not sure. When I look at it, it now looks like old, well-known vulnerabilities largely made obsolete by better frameworks. But the average developer is probably inexperienced, especially with security issues, and using bad tooling in unsafe ways. I dunno.

                                            1. 1

                                              That article you referred to is very specific to Rails. OWASP is language-agnostic. It may be that everybody using Rails is using better frameworks that make issues obsolete - but a lot of the rest of the web isn’t.

                                            2. 1

                                              I think checklist can be great for ensuring proper processes are followed, and that the obvious steps are not missed, or done in the wrong order, but I agree that checklists are not a panacea (eg checklists in aviation and healthcare).

                                            1. 20

                                              My 3 year old wanted me to share his “battlestation”: http://imgur.com/a/xldXE

                                              1st generation OLPC XO laptop. A bit slow, but gets the job done!

                                              1. 5

                                                This is super awesome :D

                                                1. 3

                                                  Oh, is that the Sugar interface on there ? Would love to hear more how he uses it :-)

                                                  1. 7

                                                    Yeah, Sugar. Mostly he plays with the robot voice application (the one that’s currently open). He likes to type his name and have the robot read it back to him. Or, random letters and digits to see what the robot will say. Other than that, he likes the maze application and logo though he still needs my help with logo.

                                                    1. 2

                                                      Heh, I have an XO-1 running here too, though I don’t really have it doing anyways - I’d like to put OpenBSD on it, but it’s stupidly PC incompatible, and to put the “XP” (read; BIOS) firmware, you need a hardware flasher.

                                                    1. 3

                                                      I remember my first time on vim. I couldn’t even exit. I tried typing ctrl-q, alt-q, esc, q, quit, exit, alt-f4, f1, help, smashing the keyboard etc. none of that worked.

                                                      And that’s why I’m an emacs user.

                                                      1. 4

                                                        How is quitting emacs easier? I remember the first time I tried emacs I had the same problem… impossible to quit. Isn’t quitting emacs: “ctrl-x” followed by “ctrl-c”?

                                                      1. 1

                                                        One I stumbled upon recently was leave which lets you specify a time you need to leave, and will then alert you on your tty that it’s time to leave. Also… yes though, I don’t really use it often.

                                                        1. 6

                                                          Nice. I can’t afford it, but I can send Theo $60.00.

                                                          done.

                                                          1. 4

                                                            I’d be interested in five whys on this, starting with why you want ads and seeing where that leads. I suspect there may be some better ways to achieve your goals. So, why do you want ads?

                                                            1. 39

                                                              My room full of gold coins is getting too shallow to dive into.

                                                              1. 15

                                                                What if you reduce contrast to black on black text and we have to pay a number of bitcoins equal to the desired background color?

                                                                1. 21

                                                                  Hackers will just highlight all the text and bypass my scheme.

                                                                  1. 3

                                                                    What about adding 500ms latency to every request. Sell this added latency monthly for target monies.

                                                                    Example: $2000 monthly target, that would be $4 for 1ms - so when you are paid $2000 monthly everything is back to normal.

                                                                    1. 7

                                                                      This idea actually has legs. Adding a few seconds to every page load would keep the site accessible to free users but strongly encourage paid usage.

                                                                      And OMG, I have a great idea that dovetails with this one! Get this – slow down the page load with ads.

                                                                      1. 3

                                                                        I shared similar idea with HN, but with more accent on adding useless bytes. It seems that it was a bit controversial:

                                                                        https://news.ycombinator.com/item?id=14096516

                                                                2. 2

                                                                  Have you considered other ways of generating revenue? Membership levels or premuim features? Reddit gold system? Wikipedia style begging? Job boards? Or consultant listings? Boardgamegeek style system with badges for annual supporters? Some sort of educational based system where you can connect folks wanting to learn with experts? I think it’s worth putting time into brainstorming.

                                                                  1. 19

                                                                    That sounds like a lot of extra work for me, can’t I just get money for free?

                                                                    1. 8

                                                                      Gah, kids these days!

                                                                      More seriously though, as someone who dislikes 99% of advertising and blocks it wherever possible, if it’s something that’s done tastefully and in moderation, I have no objection in principle. It’ll be more work, but what about an option to pay, eg, $20/year to not see the ad?

                                                                      1. 6

                                                                        This could be extended into a game: “Donate to keep the site ad-free” ;)

                                                                        Have some visible marker for how many ad-free days there were donations. If the marker goes to zero, ads appear. If the community donates enough to keep the marker up, no ads. I’m not sure if advertisers would agree with this, since they probably want to have some control over the timing. Maybe it can be tweaked.

                                                                        Economically, this is a special anti-ad, which heats up the bidding war between advertisers. If advertisers are ok with paying more, then the marker should shrink faster.

                                                                      2. 5

                                                                        What about a paid “hat” like… “lobster” or “supporter”, or something. Already got a hat system, then you can let people buy them for a month / year / day whatever.

                                                                        1. 2

                                                                          Why do you think ads won’t be a lot of work? I imagine they’ll come with a host of unintentional consequences which will end up costing you plenty of time, effort and I don’t know what else.

                                                                          No free lunch.

                                                                  1. 9

                                                                    So true. I feel like I have to kill slack off every few days to stop my computer from melting.

                                                                    1. 3

                                                                      On my Windows desktop at work Slack currently has 10 separate processes which amount to 547MB of RAM used. We just started using it, it’s just sitting in the system tray getting no messages.

                                                                      1. 2

                                                                        This is one of those few times I think separation kernels might help in non-security use on desktops. Well, it sort of is a security principle where the app becomes a threat to your machine. The separation kernels would enforce strict time (CPU) and space (memory) isolation on the system where apps only get what you allow them. They can ask for as much as they want but can’t bypass limits. Might even be ways to force a sleep on them that way where they just think the Internet went down and back up a while or something. Nah, the partition just got no CPU time for a while. :)

                                                                        Example showing how much is controlled:

                                                                        http://www.ghs.com/products/safety_critical/integrity-do-178b.html

                                                                        Note: Either the app would have to run in VM’s or be redeployed to use such tech. Otherwise, it’s all in one partition that all goes sluggish at once.

                                                                        1. 2

                                                                          Can’t a half arsed version of this be achieved with a normal kernel with modified scheduling, “Oh, you took 100% CPU the last 3 times you context switched to you, we’re going to skip you next round, we’ll get back to you in a few nanoseconds, good luck!”.

                                                                          1. 2

                                                                            Yeah you can do that. It’s just not guaranteed to work if the kernel is non-deterministic or easily impacted by what apps do. You can do it, though.

                                                                        2. 1

                                                                          Slack and Atom are both common culprits on my system.

                                                                        1. 4

                                                                          Is sublevel open source? I see:

                                                                          “We’re simply in ♥ with open–source.”

                                                                          But no links to repos. Just curious.