1. 4

    Is there a “best-of” or “significant changes” list for OpenBSD releases? The changelog is detailed, but it’s easy to miss something between the points one might not be familiar with.

    1. 3

      undeadly.org usually has a list of the “highlights” in their articles about new releases. The one about 6.7 can be found here. I don’t see anything for 6.8 yet though.

      1. 3

        An in-kernel WireGuard driver and TLSv1.3 being enabled in LibreSSL were the two things that stood out for me. Here’s the Undeadly article.

        1. 1

          List of most significant innovations - https://www.openbsd.org/innovations.html

          1. 2

            I’m familiar with that page, it’s just not 6.8-specific.

            1. 1

              Right, you’ve used plural releases and didn’t mention 6.8 specifically:

              Is there a “best-of” or “significant changes” list for OpenBSD releases?

              It’s either changelog - the plusXX.html pages - or the relase pages - XX.html - themselves. The latter is separated into sections in case you’d like to look at bugfixes, kernel, userland, etc.

              1.  

                I see why you thought that I was looking for something like innovations.html, the question was ambiously phrased.

        1. 1

          Pretty neat! The UX is still a bit rough it seems…

          1. 2

            Still, much better than GnuPG ;^)

          1. 4

            I’m very satisfied with https://github.com/debauchee/barrier (synergy fork/continuation).

            1. 4

              Barrier doesn’t switch monitors. You need a separate monitor (or monitors) for each machine.

              1. 2

                Ah, yes. Slightly different use cases, I guess.

              2. 2

                Haim’s solution is pretty ingenius, though!

                Now that I know of it, I wish there was a DDC/CI tool I could use on OpenBSD :^)

              1. 1

                And finally, font choice. The fastest, easiest, and most visible improvement you can make to your typography is to ignore the fonts already loaded on your computer (known as system fonts) and the free fonts that inundate the internet. Instead, buy a professional font (like those found in font recommendations). A professional font gives you the benefit of a professional designer’s skills without having to hire one.

                Ouch! Donald Knuth et al. - you’re not worthy!

                1. 2

                  Another way is to be explicit in saying what shell the terminal app should run.

                  1. 1

                    Given that the article mentions brew, being explicit would break upon update + cleanup.

                    1. 1

                      I’ve been using brew for years and haven’t had a problem. /usr/local/bin/zsh is a symlink for a reason.

                      1. 1

                        Another way is to be explicit in saying what shell the terminal app should run.

                        Thought you meant:

                        /usr/local/Cellar/zsh/5.7.1/bin/zsh
                        

                        Did I misunderstand the above?

                        1. 2

                          I think GP is referring to, in this example, /usr/local/bin/zsh.

                  1. 6
                    readlink -f "${SHELL}"
                    

                    Which works on most modern Unix-like systems except… macOS, where readlink(1) doesn’t have -f option ;^) so

                    stat -F "${SHELL}"
                    

                    would probably be the closest thing.

                    1. 9

                      There’s no guarantee that $SHELL points to the currently running shell. It can point to literally anything.

                    1. 1

                      Confusingly, my Thinkpad laptop keyboard has only an Enter key (which isn’t L-shaped, and doesn’t have a return arrow printed), but xev says it sends Return, and indeed it really does seem to act as a Return key in all the ways I can tell from Linux. I’ve been typing so long I don’t think I’ve ever bothered to look at the label on it before, and now I find it highly annoying!

                      1. 1

                        which isn’t L-shaped

                        The (IMO awful) L-shape is found on ISO layouts, while ANSI has the (good) single row key.

                        1. 1

                          The (IMO awful) L-shape is found on ISO layouts, while ANSI has the (good) single row key.

                          Each to their own - I’ve learnt to always hit Return somewhere around its centre and usually miss it when typing on a keyboard with ANSI layout. There is no awful or good here my friend - just a matter of what one is used to.

                      1. 2
                        sudo pkill transmission && transmission-daemon
                        

                        That’s quite a hammer you’re using there - on a multi-user system, this would kill every user’s transmission process. You might want to think about more targeted approach and give it a chance to quite gracefully while you’re at it, i.e.:

                        pkill -INT -u $euid transmission
                        
                        1. 1

                          transmisison

                          There’s a small typo there! (not just here in the quote but in the article)

                          1. 1

                            There’s a small typo there! (not just here in the quote but in the article)

                            There is no typo here - I quoted the article verbatim. Go and complain there! :^P

                            Don’t you have anything better to do? ;^)

                            1. 1

                              Edited! Happy!? :^)

                          2. 1

                            pkill -INT -u $euid transmission

                            This doesn’t seem to work because of $EUID which in this case is your RUID while the transmission-daemon is running as whatever default user it is defined to.

                            Edit: Just tested and it doesn’t work

                            1. 1

                              The use -U :^P

                              Being root or using sudo will surely help if the process you’re trying to kill isn’t running under your own $(E)UID ;^)

                              The above is simply an example that you can (and should!) be more careful at targetting your pkill commands when running as root or with sudo.

                          1. 2

                            beware of using transmission-cli though, it has been deprecated in favor of transmission-remote, and it’s less handy because it runs as a foreground process, so when you launch your torrents with transmission-cli, unless you add the ampersand (&) it will lock the current terminal (which is far from ideal if you’re using ssh).

                            Deprecated it, indeed, is. As a general rule, though, that’s what a terminal multiplexer, i.e. tmux, is for :^)

                            1. 1

                              Fair enough :D but I guess my point is, you don’t really have a way to get the status of all the torrents in the same place.

                            1. 2

                              Is it more appropriate/desirable from your experience to have entire articles available in an RSS feed? I just show title, date, description. Not even image…

                              1. 6

                                Given that I use newsboat as my feed reader, I do appreciate when the whole article is included in the feed - it saves time more than anything. I’ll open it in a GUI web browser if there are images related to the content, though.

                                1. 1

                                  I have too many feeds, and when I’m thinning them down the first ones to go are ones without full articles, or at least a few paragraphs.

                                2. 2

                                  I don’t know if it is appropriate/desirable in general to include all content in the feed. I personally prefer feeds that include the full text. It seems that I am not the only one because there are commercial products that generate full text feeds from partial ones.

                                  My impression is that partial feeds became more popular with publishers as a way to prevent people to bypass their paywalls and/or to monetize page views on their main website. If you monetize your website, I would keep partial articles in your feed. If you don’t monetize it, I would suggest to include a full feed just to accommodate your readers that might prefer it.

                                  1. 2

                                    I make everything available in RSS feeds.

                                    I read RSS heavily on my phone and love it when full feeds are available. I understand many news sites can’t do that, so in that case I am happy to subscribe for full feed (for eg Ars Technica) or just click through to open in browser.

                                    1. 2

                                      Yes, I prefer to read the entire article straight from my feed reader. I find it much less distracting than having to open a web browser, copy the link (I use newsbeuter, so links aren’t clickable) and visit the web site. Of course it doesn’t help that many websites aren’t exactly designed to be pleasant to read, just to look good (or to make money with distracting banners).

                                      1. 1

                                        Yes, I prefer to read the entire article straight from my feed reader.

                                        You and me both! :^)

                                        I use newsbeuter […]

                                        Ouch! From the very top of the README:

                                        ABANDONED! An actively maintained fork is available in newsboat repo

                                        […] so links aren’t clickable

                                        This is a feature of your $TERM, not feed reader.

                                        Of course it doesn’t help that many websites aren’t exactly designed to be pleasant to read, just to look good (or to make money with distracting banners).

                                        You can say that again! Unless there’s a really good article, linked from multiple sources, I never visit anything Medium-like.

                                        1. 1

                                          Yikes, I didn’t know newsbeuter was abandoned. I just installed newsboat and was happy to see that it converted my newsbeuter config automatically. It’s truly a drop-in replacement! Thanks for the tip!

                                          This is a feature of your $TERM, not feed reader.

                                          Yeah, true. But if I was using a non-terminal based feed reader, it’d likely have clickable links.

                                          1. 1

                                            But if I was using a non-terminal based feed reader, it’d likely have clickable links.

                                            However, you chose a terminal feed reader! If clickable links were a priority, you’d most likely go for a GUI option, no? ;^)

                                            Either way, it’s an easy fix :^)

                                            1. 1

                                              haha, true that. But the point was about how it’s more convenient to read it in the reader anyway. That’s not an easy fix for me, but it is for the site’s author!

                                    1. 5

                                      I remember the days when Chrome and Firefox both displayed RSS feeds for websites right in the browser.

                                      1. 2

                                        I remember the days when Chrome and Firefox both displayed RSS feeds for websites right in the browser.

                                        That’s exactly waht the author mentions in the article:

                                        RSS used to be displayed far more prominently in browsers. Firefox, Safari, and the Chromium-based browsers used to include RSS icons or text in their UIs that would activate upon detecting a page with the appropriate meta tag.

                                        ;^)

                                        1. 6

                                          Coincidently I’ve recently read about mailto links not being ideal and I think RSS feeds suffer from a similar problem: links to them are kind of useless beyond signaling their existence. I am much more inclined to plop the website’s URL in the RSS reader than copy the feed URL directly. There used to be the idea of a “feed://” scheme floating around, but I’m not sure if it has caught on.

                                          1. 8

                                            Coincidently I’ve recently read about mailto links not being ideal and I think RSS feeds suffer from a similar problem: links to them are kind of useless beyond signaling their existence.

                                            In my experience, it’s the opposite - if the the feed icon/URL is not featured on the page I have to copy the site address, open the feed reader, paste it, pick the appropriate feed (RSS, Atom, comments, etc.) and finally add. With a direct link, all I need is to click on it and my reader opens automatically.

                                            I am much more incline to plop the website’s URL in the RSS reader than copy the feed URL directly.

                                            This is what I’m forced to do because most pages don’t feature direct feed URLs.

                                            The problem is even worse when it comes to podcasts - one can find links to all sorts of iTunes, Google Play, Stitcher, Spotify, etc. but don’t have any desire to use any of it and frequently have to ask for a direct feed URL.

                                            1. 3

                                              if the the feed icon/URL is not featured on the page I have to copy the site address, open the feed reader, paste it, pick the appropriate feed (RSS, Atom, comments, etc.) and finally add

                                              This bugs me every time I have to do it. Plus, there’s a ~20% chance that the site doesn’t expose any type of feed, so I have to go to a workaround like politepol to follow the site :(

                                              1. 6

                                                This bugs me every time I have to do it. Plus, there’s a ~20% chance that the site doesn’t expose any type of feed, so I have to go to a workaround like politepol to follow the site :(

                                                Don’t get me started about sites** without any type of feed.

                                                So, you post stuff every so often and would, presumably, like some else to read it.

                                                Sure.

                                                Are you expecting me to visit every n days/weeks/months or script it?

                                                Yeah, why not?

                                                Thanks, but no thanks.

                                                ** like with everything in life, there are, of course, exceptions :^)

                                              2. 2

                                                With a direct link, all I need is to click on it and my reader opens automatically.

                                                Ah, that’s cool! Does it work with any old https:// link to a feed?

                                                1. 2

                                                  Does it work with any old https:// link to a feed?

                                                  Sure, as long as it is being served with the correct media type.

                                                  1. 2

                                                    Huh, on macOS I get three different behaviors in three different browsers for a MIME type of application/rss+xml:

                                                    • Firefox offers to download the file, or open it with… Sublime Text
                                                    • Safari invokes the RSS reader (NetNewsWire)
                                                    • Chrome loads the feed as plain text

                                                    Since I use FF day to day, this behavior might have colored my impression of RSS feed URLs.

                                                    It would be interesting to see how https:// vs. feed://, text/xml vs application/rss+xml behave in the year 2020, and which version (or combination) offers the broadest convenience.

                                                    1. 2

                                                      You can change the file type’s associated program in FF’s Preferences.

                                                2. 2

                                                  My experience chimes with this. I always copy and paste the feed URL. I even use this extension to show me feed links like Firefox used to.

                                                3. 1

                                                  Coincidently I’ve recently read about mailto links not being ideal

                                                  That was a fascinating insight into the average user. In every desktop browser I’ve used, right-clicking on a mailto link gives an option of copying the address (often it includes the mailto: prefix, but that’s easy to trim after you paste). I’d never have thought about trying to copy the text because that requires accurately hitting the start and end, whereas right-clicking requires me to hit somewhere in the link. A copy button is potentially a good idea, but I am quite reluctant to encourage untrusted web sites to be able to write things to my clipboard. As far as I know, there are Chrome and Firefox plugins that will allow you to forward mailto links to a webmail client and it surprises me that people who use webmail wouldn’t set these up - I remember this being a problem 20 years ago but largely a solved issue 15 years ago. Does Chrome really not integrate with Gmail?

                                                  The article asks why browsers removed the RSS button. I know why this happened in Safari because Apple talked about it publicly. The user experience for RSS depends on being able to see new things easily. That doesn’t work well when you read feeds on multiple devices unless you have some mechanism for syncing the ‘read’ state across devices. Apple didn’t have that and didn’t want a core feature of the browser to depend on iCloud. The popular RSS readers were all server-side things that kept track of what you’d read centrally. These could ship a browser plugin that detected the RSS feeds and let you add it to your list, so this didn’t need to be core browser functionality. A quick look in the Chrome store implies that only feeder.co actually does this.

                                                1. 14

                                                  If you want to run your own version, I can highly recommend the independent rust server implementation here: https://github.com/dani-garcia/bitwarden_rs

                                                  Very easy to set up and compatible with the browser extensions, android app etc.

                                                  I have been using this for month running it on a raspberry pi behind a VPN at home (with encrypted offsite backup). Works like a charm

                                                  1. 6

                                                    Or, you can use @jcs’s rubywarden.

                                                    1. 1

                                                      I am trying out bitwarden_rs now and do feel the same usability as the mainstream software. do you have any feedback about rubywarden regarding existing features, usability compared to the main software, and mostly, maintenance tips? thanks!

                                                    2. 4

                                                      I run this in a docker container alongside watchtower to keep it up to date. Runs like a champ, I hardly ever have to touch it.

                                                      1. 3

                                                        same here. I am not a fan of docker in general, but trying to compile this myself on a raspi tipped me over the edge towards using docker for this.

                                                    1. 4

                                                      Ohhhh, nice! That’s what I was looking for, after being thrown out yet another time with Neomutt and its inability to use multiple accounts like everything else does. But I understand it, as primarily was a Maildir/mbox client

                                                      1. 3

                                                        If anyone’s interested, here’s my TUI mail client: https://meli.delivery/

                                                        1. 1

                                                          Niice! Going on my “things-to-replace-mutt” list.

                                                          But please call me again when it gets truly asynchronous (right now it hangs UI on startup when IMAP connection begins, I can’t reliably show/close the ‘?’ shortcuts view) and gets the SMTP support :)

                                                        2. 1

                                                          Doesn’t seem like it does, at least not yet - https://github.com/soywod/iris.vim/issues/17

                                                          BTW, (Neo)Mutt works just fine with multiple accounts - I’ve been using it with 4-5 accounts for years. Granted, configuration requires one to know Mutt well enough.

                                                        1. 5

                                                          Cloudflare is trying to centralize the internet

                                                          I agree this is not ideal. But they provide good services and actively contribute to the security of the internet in terms of open source work and pushing for stronger standards. Ideally everyone would host their own services but I don’t think centralisation on its own is a very strong argument. Disincentivizing centralisation takes more than tackling centralised services one by one.

                                                          Instead of the user directly connecting to the intended website, the user is connected to Cloudflare’s servers instead. […] Cloudflare gets to see the billing details and possibly payment information of customers

                                                          No worse than trusting your own hosting provider. This issue exists any place you’re not self-hosting. However Cloudflare can do a lot more damage if at any time they turn malicious.

                                                          In addition to that, while your browser may show that the connection is encrypted using HTTPS, it does not necessarily mean that the connection between Cloudflare and the target site is encrypted as well.

                                                          100% agree with this statement. They should enforce that a trusted certificate be installed and verified on the origin server. You can manually enable this but for sure lots of people do not.

                                                          Cloudflare is shielding cybercriminals

                                                          So is encryption. So does the NHS. Criminals also breathe air like the rest of us. This argument implies that Coudflare should also be acting as a moderator for content which I do not agree with.

                                                          they do not seem too bothered about some of their customers hosting the very services they strive to protect against, on their own platform

                                                          The attacks themselves will not be coming from Cloudflare’s servers.

                                                          Scaring internet users into thinking their ISPs are insecure in the middle of a global pandemic

                                                          What? So is SSLLabs bad for listing the TLS ratings of different services? Or internet.nl? I don’t understand this viewpoint. And you’re going to back it up by appealing to coronavirus?

                                                          1. 0

                                                            Cloudflare is shielding cybercriminals

                                                            So is encryption.

                                                            Encryption is a technology and is therefore blind.

                                                            So does the NHS.

                                                            Yes, they do not discriminate.

                                                            Criminals also breathe air like the rest of us.

                                                            C’mon.

                                                            This argument implies that Coudflare should also be acting as a moderator for content which I do not agree with.

                                                            It’s not just about content which I do not agree with or is morally objectionable but the kind which is illegal. On the other hand Cloudflare, with their 1.1.1.1 for Families service, was absolutely fine to filter LGBT resources and sex education websites so how aren’t they a moderator?

                                                            So is SSLLabs bad for listing the TLS ratings of different services? Or internet.nl?

                                                            Both provide opt-in tests - the former allows for the results not to appear on their site, while the latter has a Hall of Fame, not Hall of Shame. Also, they neither encourage nor facilitate using Twitter to spread fear and cause panic.

                                                            1. 6

                                                              absolutely fine to filter LGBT resources

                                                              How did you interpret “never intended to do it, reverted the wrong list as fast as they could, and apologized profusely for the mistake” as being “absolutely fine” with it?

                                                              1. 3

                                                                On the other hand Cloudflare, with their 1.1.1.1 for Families service, was absolutely fine to filter LGBT resources and sex education websites so how aren’t they a moderator?

                                                                This is what I would use to respond to your first point. Cloudflare as a content service provider, sitting on the internet acting as a proxy and middle-man, providing this technological service, should not be moderating what content is and is not permitted to exist.

                                                                but the kind which is illegal

                                                                Sure, but arguably it is up to the original host to take that content down, not Cloudflare. I doubt the feds are sitting there trying to DDoS illegal websites.

                                                                Also, they neither encourage nor facilitate using Twitter to spread fear and cause panic.

                                                                Man people aren’t sitting there terrified in their homes because some guy on Twitter said their ISPs aren’t secure. There absolutely should exist a list tracking the adoption of secure technologies by providers that make up a significant market share. And there should be people encouraging the adoption of these technologies.

                                                                What Cloudflare did here is not harmful by any stretch of the word and it’s a reach to claim that it is.

                                                                1. 2

                                                                  I am no fan of Cloudflare, but I’ve found your tone on this topic absolutely obnoxious. Go back through any post you’ve had in just the last couple of days and count the amount of bolds, underlines, and “hot takes”. Even this post has no real information about the arguments on the field and isn’t even a good satire (opinion obviously). I have no idea who is upvoting this post.

                                                                  People absolutely do shame each other for things like that and those have been the only time it’s worked, see plaintext offenders. I have gone through literal year long disclosure process with vulnerabilities I’ve found in companies just to have them drag their feet until someone else discovered the vuln and published it publicly. Guess which one got things fixed? It’s not a one size fits all, but publishing the routing information about RPKI support is making public information that is not available to the average user. I think it’s a service, shame or not.

                                                              1. 12

                                                                This mostly seems like a reaction against Cloudflare promoting RPKI, from people/ISPs who don’t want to bother with RPKI. Since IMO RPKI is a good, valuable improvement to security, I’m a bit disinclined to give much credence to this.

                                                                E.g. The claim that Cloudflare is supposedly stifling combining their services with other providers because you have to… pay to do so, instead of using their free plan? That doesn’t sound malicious to me. If you’ve never paid them a dime, why do you expect them to provide any free service you want? It’s not even expensive: it’s $5/month for all the features of their Business plan as long as you’re under 10MM requests/month (and fairly reasonable pricing over that too). It’s not like the ISPs who are complaining about RPKI are giving away their services for free; why should they complain about Cloudflare charging reasonable prices for their services too?

                                                                1. 1

                                                                  […] Cloudflare promoting RPKI, from people/ISPs who don’t want to bother with RPKI.

                                                                  More like engaging in a counterproductive behaviour, i.e. public naming and shaming of those who don’t yet (fully) support RPKI.

                                                                  That being said, please look at the tag and the disclaimer/footer on the page:

                                                                  While this site is a parody, it may contain factual information. :)

                                                                  ;^)

                                                                  1. 27

                                                                    It’s worth linking to A&A’s (a British ISP) response to this: https://www.aa.net.uk/etc/news/bgp-and-rpki/

                                                                    1. 16

                                                                      Our (Cloudflare’s) director of networking responded to that on Twitter: https://twitter.com/Jerome_UZ/status/1251511454403969026

                                                                      there’s a lot of nonsense in this post. First, blocking our route statically to avoid receiving inquiries from customers is a terrible approach to the problem. Secondly, using the pandemic as an excuse to do nothing, when precisely the Internet needs to be more secure than ever. And finally, saying it’s too complicated when a much larger network than them like GTT is deploying RPKI on their customers sessions as we speak. I’m baffled.

                                                                      (And a long heated debate followed that.)

                                                                      A&A’s response on the one hand made sense - they might have fewer staff available - but on the other hand RPKI isn’t new and Cloudflare has been pushing carriers towards it for over a year, and route leaks still happen.

                                                                      Personally as an A&A customer I was disappointed by their response, and even more so by their GM and the official Twitter account “liking” some very inflammatory remarks (“cloudflare are knobs” was one, I believe). Very unprofessional.

                                                                      1. 15

                                                                        Hmm… I do appreciate the point that route signing means a court can order routes to be shut down, in a way that wouldn’t have been as easy to enforce without RPKI.

                                                                        I think it’s essentially true that this is CloudFlare pushing its own solution, which may not be the best. I admire the strategy of making a grassroots appeal, but I wonder how many people participating in it realize that it’s coming from a corporation which cannot be called a neutral party?

                                                                        I very much believe that some form of security enhancement to BGP is necessary, but I worry a lot about a trend I see towards the Internet becoming fragmented by country, and I’m not sure it’s in the best interests of humanity to build a technology that accelerates that trend. I would like to understand more about RPKI, what it implies for those concerns, and what alternatives might be possible. Something this important should be a matter of public debate; it shouldn’t just be decided by one company aggressively pushing its solution.

                                                                        1. 4

                                                                          This has been my problem with a few other instances of corporate messaging. Cloudflare and Google are giant players that control vast swathes of the internet, and they should be looked at with some suspicion when they pose as simply supporting consumers.

                                                                          1. 2

                                                                            Yes. That is correct, trust needs to be earned. During the years I worked on privacy at Google, I liked to remind my colleagues of this. It’s easy to forget it when you’re inside an organization like that, and surrounded by people who share not only your background knowledge but also your biases.

                                                                        2. 9

                                                                          While the timing might not have been the best, I would overall be on Cloudflare’s side on this. When would the right time to release this be? If Cloudflare had waited another 6-12 months, I would expect them to release a pretty much identical response then as well. And I seriously doubt that their actual actions and their associated risks would actually be different.

                                                                          And as ISPs keep showing over and over, statements like “we do plan to implement RPKI, with caution, but have no ETA yet” all too often mean that nothing will every happen without efforts like what Cloudflare is doing here.


                                                                          Additionally,

                                                                          If we simply filtered invalid routes that we get from transit it is too late and the route is blocked. This is marginally better than routing to somewhere else (some attacker) but it still means a black hole in the Internet. So we need our transit providers sending only valid routes, and if they are doing that we suddenly need to do very little.

                                                                          Is some really suspicious reasoning to me. I would say that black hole routing the bogus networks is in every instance significantly rather than marginally better than just hoping that someone reports it to them so that they can then resolve it manually.

                                                                          Their transit providers should certainly be better at this, but that doesn’t remove any responsibility from the ISPs. Mistakes will always happen, which is why we need defense in depth.

                                                                          1. 6

                                                                            Their argument is a bit weak in my personal opinion. The reason in isolation makes sense: We want to uphold network reliability during a time when folks need internet access the most. I don’t think anyone can argue with that; we all want that!

                                                                            However they use it to excuse not doing anything, where they are actually in a situation where not implementing RPKI and implementing RPKI can both reduce network reliability.

                                                                            If you DO NOT implement RPKI, you allow route leaks to continue happening and reduce the reliability of other networks and maybe yours.

                                                                            If you DO implement RPKI, sure there is a risk that something goes wrong during the change/rollout of RPKI and network reliability suffers.

                                                                            So, with all things being equal, I would chose to implement RPKI, because at least with that option I would have greater control over whether or not the network will be reliable. Whereas in the situation of NOT implementing, you’re just subject to everyone else’s misconfigured routers.

                                                                            Disclosure: Current Cloudflare employee/engineer, but opinions are my own, not employers; also not a network engineer, hopefully my comment does not have any glaring ignorance.

                                                                            1. 4

                                                                              Agreed. A&A does have a point regarding Cloudflare’s argumentum in terrorem, especially the name and shame “strategy” via their website as well as twitter. Personally, I think is is a dick move. This is the kind of stuff you get as a result:

                                                                              This website shows that @VodafoneUK are still using a very old routing method called Border Gateway Protocol (BGP). Possible many other ISP’s in the UK are doing the same.

                                                                              1. 1

                                                                                I’m sure the team would be happy to take feedback on better wording.

                                                                                The website is open sourced: https://github.com/cloudflare/isbgpsafeyet.com

                                                                                1. 1

                                                                                  The website is open sourced: […]

                                                                                  There’s no open source license in sight so no, it is not open sourced. You, like many other people confuse and/or conflate anything being made available on GitHub as being open source. This is not the case - without an associated license (and please don’t use a viral one - we’ve got enough of that already!), the code posted there doesn’t automatically become public domain. As it stands, we can see the code, and that’s that!

                                                                                  1. 7

                                                                                    There’s no open source license in sight so no, it is not open sourced.

                                                                                    This is probably a genuine mistake. We never make projects open until they’ve been vetted and appropriately licensed. I’ll raise that internally.

                                                                                    You, like many other people confuse and/or conflate anything being made available on GitHub as being open source.

                                                                                    You are aggressively assuming malice or stupidity. Please don’t do that. I am quite sure this is just a mistake nevertheless I will ask internally.

                                                                                    1. 1

                                                                                      There’s no open source license in sight so no, it is not open sourced.

                                                                                      This is probably a genuine mistake. We never make projects open until they’ve been vetted and appropriately licensed.

                                                                                      I don’t care either way - not everything has to be open source everywhere, i.e. a website. I was merely stating a fact - nothing else.

                                                                                      You are aggressively […]

                                                                                      Not sure why you would assume that.

                                                                                      […] assuming malice or stupidity.

                                                                                      Neither - ignorance at most. Again, this is purely statement of a fact - no more, no less. Most people know very little about open source and/or nothing about licenses. Otherwise, GitHub would not have bother creating https://choosealicense.com/ - which itself doesn’t help the situation much.

                                                                                    2. 1

                                                                                      It’s true that there’s no license so it’s not technically open-source. That being said I think @jamesog’s overall point is still valid: they do seem to be accepting pull requests, so they may well be happy to take feedback on the wording.

                                                                                      Edit: actually, it looks like they list the license as MIT in their package.json. Although given that there’s also a CloudFlare copyright embedded in the index.html, I’m not quite sure what to make of it.

                                                                                      1. -1

                                                                                        If part of your (dis)service is to publically name and shame ISPs, then I very much doubt it.

                                                                              2. 2

                                                                                While I think that this is ultimately a shit response, I’d like to see a more well wrought criticism about the centralized signing authority that they mentioned briefly in this article. I’m trying to find more, but I’m not entirely sure of the best places to look given my relative naïvete of BGP.

                                                                                1. 4

                                                                                  So as a short recap, IANA is the top level organization that oversees the assignment of e.g. IP addresses. IANA then delegates large IP blocks to the five Regional Internet Registries, AFRINIC, APNIC, ARIN, LACNIC, and RIPE NCC. These RIRs then further assigns IP blocks to LIRs, which in most cases are the “end users” of those IP blocks.

                                                                                  Each of those RIRs maintain an RPKI root certificate. These root certificates are then used to issue certificates to LIRs that specify which IPs and ASNs that LIR is allowed to manage routes for. Those LIR certificates are then used to sign statements that specify which ASNs are allowed to announce routes for the IPs that the LIR manages.

                                                                                  So their stated worry is then that the government in the country in which the RIR is based might order the RIR to revoke a LIR’s RPKI certificate.


                                                                                  This might be a valid concern, but if it is actually plausible, wouldn’t that same government already be using the same strategy to get the RIR to just revoke the IP block assignment for the LIR, and then compel the relevant ISPs to black hole route it?

                                                                                  And if anything this feels even more likely to happen, and be more legally viable, since it could target a specific IP assignment, whereas revoking the RPKI certificate would make the RoAs of all of the LIRs IP blocks invalid.

                                                                                  1. 1

                                                                                    Thanks for the explanation! That helps a ton to clear things up for me, and I see how it’s not so much a valid concern.

                                                                                2. 1

                                                                                  I get a ‘success’ message using AAISP - did something change?

                                                                                  1. 1

                                                                                    They are explicitly dropping the Cloudflare route that is being checked.

                                                                                1. 3

                                                                                  Personally, I don’t follow blogs or podcasts without a direct feed - using the general term here as this also applies to Atom. Being on iTunes, etc. does not count!

                                                                                  1. 4

                                                                                    There’s no mention of *BSD in that post. Shouldn’t this simply be tagged release?