Threads for rjc

  1. 7

    Yup, ascii(7) manual page is very useful for this type of info. Also if one needs to %-encode a character, i.e. in a URI, etc.

    1. 4

      I would rather see better tools than PGP for new standards.

      1. 4

        If you’re talking about GnuPG, then absolutely. Why can’t we have something simple like signify, eh? If you’re talking about OpenPGP then, well, even with its issues, a suitable replacement would still needs its own RFC first :^)

        1. 1

          Yes, makes sense.

          1. 1

            Yeah, Signify would probably be much better.

            1. 2

              Or reop, but you get the gist ;^)

              1. 1

                I’m surprised reop hasn’t caught on like signify has (first time I’m hearing of it). Seems like a great tool.

        1. 2

          An RFC with no comparison against VuXML and which looks less useful. Yay?

          1. 2

            Would VulnXML be comparable to OSV? https://ossf.github.io/osv-schema/

            1. 1

              Yes, it looks as if OSV could be fairly easily translated to VuXML and vice versa. They seem to capture the same information in an almost identical schema, just with different serialisation formats.

            2. 1

              An RFC with no comparison against VuXML and which looks less useful. Yay?

              It looks like it comes from an era (2003) when XML was quite fresh and cool(?). Is anyone apart from FreeBSD using it? It seems like if it’s never mentioned in duscussions about security.txt, then it’s mostl likely due to eveyone involved in VuXML either not being interested any more or asleep.

              Human-readable is the new shit, next will be binary ;^)

              1. 7

                Is anyone apart from FreeBSD using it?

                I don’t know. I think NetBSD was, not sure if they still do.

                It seems like if it’s never mentioned in duscussions about security.txt, then it’s mostl likely due to eveyone involved in VuXML either not being interested any more or asleep.

                It looks as if I was misunderstanding the purpose of security.txt based on the title. It is about defining a way of reporting security vulnerabilities to the project, not a way for a project to report security vulnerabilities. The only consumer of this will be a human security researcher who has found a vulnerability. There is some value in having a convention here, but any text file is fine as long as it’s easy to find. I don’t care what the structure of the file is because a human will parse it and it will be a small part of the task of finding and documenting a vulnerability.

                VuXML solves the other part of the problem. Every security vulnerability in a package shipped by FreeBSD gets an entry in the VuXML stream and it’s machine-parseable and easy to aggregate. It looks as if security.txt is designed to be machine-parseable (and therefore probably possible to aggregate) but it requires a bespoke parser. I’d love to see a VuJSON, since JSON parsers are simpler and more ubiquitous than XML these days.

                The main value for this kind of thing is in auditing. On a FreeBSD system, I can type pkg audit and get a report of all packages with known vulnerabilities, generated from the VuXML. I believe Debian has something similar, though I don’t know anything about their implementation details. I can also build my own auditing tool and can easily produce a VuXML stream for my own package repositories that integrates with this.

                It would be great if there were tooling to allow upstream projects to more easily publish their CVEs in machine-readable format that could be converted to VuXML. There’s a small ontology problem (VuXML tells you the range of versions for packages that are vulnerable but the versions of upstrea, of the FreeBSD packages, of the Debian packages, and so on don’t always align) but that’s something that could be solved with a bit of metadata in the packages allowing some tooling to handle the mapping.

            1. 2

              CDDL? An odd choice of a license for a new project. Is this code related/based on Sun’s old code in any way?

              1. 1

                No, it’s not. But I can’t see a reason to use a different license.

                1. 2

                  Is GPL incompatibility a goal? If so, then CDDL is fine. Otherwise MPL may be a better choice?

                  1. 1

                    I honestly don’t care about being compatible with the GPL. The Lazarus components I use are “LGPL with linking exceptions” as far as I know, my code itself was not designed to be embedded in any other software, so the difference is mostly academic here, if I’m not mistaken.

                    1. 2

                      I mean, the CDDL is effectively “MPL + GPL incompatibility” so if you don’t care about GPL one way or the other using MPL would mean anyone who finds something useful in your code could copy it to a GPL project.

                      It’s all academic until it’s not, and by then it’s usually too late to change :)

                      1. 2

                        One of the advantages of being the project lead, main developer and license steward of a project is that it’s never too late to change.

                        I won’t block a license discussion once this happens. Until then, the CDDL is just fine. :-) (I have my own prejudices against the GPL though, so the discussion will - at least - be fruitful.)

              1. 2

                Given that you’ve mentioned a basic vi(1) command as your favourite, I’m going to do the same:

                 .
                

                It’s a repeat the last command, at least in nvi :^)

                In terms of :r!... I use it daily, i.e.:

                 :r!ssh hostname 'cd /path/to/dir;cvs diff path/to/file'
                
                1. 10

                  This looks interesting. On a related note, if you want something closer to vi, but the lack of UTF-8 and bidirectional text in OpenVi is a problem, take a look at neatvi.

                  1. 9

                    I really enjoy everything the author of neatvi has written (neatroff especially). I reached out to him once via email basically to tell him I was a fan. He was very gracious.

                    1. 3

                      He was very gracious.

                      Agreed. When neatvi was relatively new, I submitted a small number of patches and had several questions. He was always helpful.

                    2. 5

                      For UTF-8, another option is nvi. OpenBSD’s vi is actually an old version of nvi that lacks UTF-8 support.

                      1. 3

                        Don’t confuse OpenVi/OpenBSD-vi, nvi1, and nvi2. These are all different programs that share the same heritage.

                        OpenVi is derived from OpenBSD vi, which derives from nvi version 1.79, released in 1996. There has been 25+ years of independent development as part of the OpenBSD base system and it has diverged greatly in that time, with the development going in a different direction.

                        Nvi1, currently on version 1.8x, is maintained at https://repo.or.cz/nvi.git - I believe the latest version of this editor does have multibyte support, but this is not the OpenVi/OpenBSD version of the editor.

                        Nvi2 shares the same heritage as well, but is also quite far removed from 1996 code. It is actively maintained at https://github.com/lichray/nvi2 and also includes multibyte support.

                        (If I remember correctly) the multibyte support in both Nvi1 and Nvi2 derives from nvi-m17n, developed as part of the KAME project by the late itojun - http://www.itojun.org/itojun.html … the last update to nvi-m17n was about 3 years ago, and is available at https://cgit.freebsd.org/ports/tree/editors/nvi-m17n/files

                        Currently, optimizing for size using link-time garbage collection with GCC 11.2 on an x86_64 glibc Linux system gives a good idea of the changes over time and the different direction these editors have taken. OpenVi is also simplified in structure and does not have the three levels of abstraction of Nvi 1.8x - there is no library interface layer.

                        For OpenVi, the compiled binary is 278K, and for Nvi1 (nvi-1.81.6-45-g864873d3) the compiled binary is 528K (36K for vi, 528K for libvi).

                        OpenVi has a single configuration standard with no dependencies beyond curses.

                        Nvi1 has many options beyond trace/debug (“widechar” “gtk” “motif” “threads” “perl” “tcl” “db3/4” “internal-re”) - so at least 255 different build variations are possible.

                        (I’ve not yet built Nvi2 myself on Linux so I can provide an actually fair comparison yet, but I will, and I’ll summarize the data in an FAQ section of the README)

                        1. 2

                          (Note that I was using the defaults here, I’m sure that it’s possible to trim down Nvi 1.8x further, but I’m comparing the default compilations, optimized for size (GCC, -Os, -fdata-sections, -ffunction-sections, link-time GC enabled), but Nvi 1.8x is a much more complicated program, and has a different feature set, and different supported options.

                          1. 1

                            Well, I allowed myself to omit the fact that OpenBSD’s vi has seen some independent development past nvi 1.79, which is true. A “(based on)” should be inserted before “an old version” in my original comment. But I appreciate the thorough summary of nvi versions!

                          2. 2

                            Nope, the vi in OpenBSD is nvi - you’re confusing it with nvi2. Both are in active development: nvi and nvi2.

                            1. 2

                              It should be noted that DragonFly BSD has imported nvi2, but with some modifications as well.

                              It’s unfortunate there is so much confusion surrounding the various nvi-based editors, mostly due to them all being so similarly named.

                              Part of why I chose to call this project OpenVi was because the name was - suprisingly - available, and does not directly imply that OpenVi is exactly Nvi1/2 or OpenBSD’s vi.

                              (In particular, all bugs in OpenVi should be considered my fault.)

                          3. 2

                            I will confirm that Neatvi is an excellent project, but I’m a bit more interested in Nextvi - https://github.com/kyx0r/nextvi - the RTL/bidi in Neatvi is a huge strength and is done very cleanly when compared to other vi-likes

                          1. 4

                            Automounters existed since the 80s but sure, let’s just reinvent the wheel… hang on a minute it’s not round any more - it’s square!

                            1. 10

                              yawn systemd bashing, how boring, and how expected

                              anyway, this is a typical strawman response.

                              automounting is not a novel concept… but noone claimed it is. the post shows how systemd nicely integrates this concept with other systemd concepts so that, for example, it becomes easy to start services that depend on such a network mount, ensuring the right ordering during boot, etc.

                              1. 3

                                yawn systemd bashing, how boring, and how expected

                                My comment wasn’t systemd-specific - it was aimed at any solution in need of a problem - my point was that automounters have existed for well over three decades and they do well what they’re good at.

                                Also, unless I’m missing something, the article describes automating an fstab(5) mount - it isn’t a real automount as in, mount on request/access and unmount if not in use, not to mention other features such us various substitutions (key, wildcard, variable, etc.), etc.

                              2. 4

                                None of the auto mounters I know of integrated with system service ordering and dependencies very well. Also systemd already is the place where fstab handling happens, so it effectively needs to be an (auto)mounter anyway. I don’t think reinventing the wheel criticism really applies here.

                                1. 1

                                  I’m not the biggest fan of systemd… But I do think your comment isn’t very constructive nor a good criticism of this feature of systemd.

                                  1. 1

                                    I have moved from autofs to using the systemd built-in feature in the cases where we are automounting. The advantage is that systemd is already installed, so an additional package is not needed any more, it uses the same syntax for defining mounts as we’re already used to for services and service startup order can be nicely integrated into the auto mount availability.

                                    This as done away with quite a few sleep hacks in old style scripts and so far worked perfectly and did not necessitate new hacks.

                                    Do I need my init system to have built-in automount support? No. But it’s very convenient and very robust, so I’m more than happy to use it.

                                    If you are concerned by bloat or unhappy with the functionality provided by systemd, feel free to continue using autofs or anything else for your mounts.

                                    The one thing I wish was different is if I could have the mount and automount unit in a single file. systemd is very boilerplaty that way and while I see that in some cases the split makes sense, in my simple use cases, it’s just baggage

                                  1. 11

                                    While this may seem nostalgic for some folks, I was entirely unaware of this feature[1] and am excited to see how it unfolds. So far it seems to just be a landrush for short names.

                                    [1] https://linux.die.net/man/1/finger (Search for “plan”)

                                    1. 2

                                      Already linked below (above?) but thought will link it here, too - if nothing else, this one is more up-to-date :^)

                                      https://man.openbsd.org/finger.1

                                    1. 6

                                      What is this site about exactly ? I miss the point ^^”

                                      1. 12

                                        It’s like an interactive telephone book, you can index all of the users of the domain with “finger @plan.cat” and you can look up for a sepecific user like “finger glitch@plan.cat.

                                        1. 5

                                          It would be awesome if mail providers started to provide finger so you can quickly have information about someone (which would be, of course, the information the want to make public)

                                          1. 3

                                            Most servers started to close the finger port for incoming connections in the late ’90s because the protocol was a great way of enumerating the valid accounts on the system. If your mail provider enables it then you can find all of the addresses that will work and that makes sending spam to that provider a lot easier.

                                            I first saw finger in 2000 and even then it only worked on the local network and was blocked at the firewall for the machines that hosted a web server / email.

                                            1. 3

                                              I have writing PIM in my “TODO one day”, and it would be nice feature to add.

                                          2. 3

                                            It’s a social network from way back when: https://linux.die.net/man/1/finger

                                            1. 2

                                              Back in Days of Yore, before the internet went mainstream and security Got Serious, most UNIX systems supported a protocol called finger.

                                              You could say finger feoh@gnu.org and, if I updated my .plan file, see what I had written there and, depending on the server, maybe even what I was running on the machine at the moment.

                                              People took advantage of this for all kinds of strange and wonderful things, including internet connected coffee and soda machines where you could [finger them for status].

                                              This site resurrects the protocol but gives you a place to advertise your status without opening up a security hole in workstations you actually use/care about, and in its own way creates a kind of social network :)

                                              1. 1

                                                Were you going to link something at [finger them for status]?

                                            1. 11

                                              Can we get integration with the weekly “what are you doing this week?” threads? That would be cool.

                                              1. 11

                                                It would also be neat if lobste.rs hosted a finger server. For example finger fs111@lobste.rs could return some of the information found on https://lobste.rs/u/fs111. Maybe users profiles also have a “plan” section for “what are you doing this week” answers? Not sure the utility of all this, but the idea tickles me!

                                                1. 5

                                                  Well, there’s this at least:

                                                  finger lobsters@typed-hole.org
                                                  
                                                  1. 4

                                                    That would be really cool indeed

                                                1. 23

                                                  I gues it’s better to leave on your own terms than to get your domain blocked or get kicked out.

                                                  The wording on the banner is far from being a friendly advice - I’d call it antagonistic and confrontational, hostile even.

                                                  BTW, the code itself has been added last year in this commit.

                                                  Ironically, lobste.rs was created by /u/jcs as response to HN heavy-handed moderation.

                                                  1. 40

                                                    His engagement with lobste.rs was much more polarising than burntsushi. The latter didn’t jump into comment sections to deliberately kick off a flame war that may not have otherwise occurred; the former did so deliberately and unashamedly. I heartily respect both their views but I can understand why they might be moderated differently.

                                                    1. 13

                                                      Thank you for saying this in a far more polite way than I was about to.

                                                      1. 8

                                                        And why would that result in banning the domain? Drew wasn’t even the one posting his blog posts here and they were always upvoted.

                                                        1. 11

                                                          Because many of his posts were explicit flamebait; look at the last two posts on that domain for instance.

                                                          1. 2

                                                            Then clearly this community is not what the admin intended it to be before banning this domain because the stories from that domain were routinely getting above 30 points which is rare for most stories. It is time to shut this whole website down and just change it to be a private RSS feed of the admin.

                                                            1. 3

                                                              It’s an attempt to avoid the Repugnant Conclusion; the mere addition of a steady attractor of upvotes can degrade the quality of life for everybody else.

                                                            2. 1

                                                              Did you mean to include the one about a finger server and io_uring as one of the two? I found it interesting and informative.

                                                              1. 5

                                                                I meant what was submitted to Lobsters, which were the final straws,

                                                                1. 2

                                                                  Thanks for the clarification. Not sure why I didn’t read it that way.

                                                          2. 1

                                                            This was just an example - there’s more in the moderation log if you care to look.

                                                          3. 15

                                                            Wow, this ban message from your second link:

                                                            Please go be loudly disappointed in the entire world (and promote sourcehut) somewhere else.

                                                            I really hope that this happened at the end of a process of attempting to politely engage, rather than as the immediate response. That reads like something from a burned-out moderator who needs to take a break.

                                                            1. 26

                                                              This was a sustained pattern of behavior over months.

                                                              1. 2

                                                                That reads like something from a burned-out moderator who needs to take a break.

                                                                Pro tip: moderators are always burnt-out.

                                                              2. 8

                                                                oh wow, Drew got banned ..

                                                                I don’t like anyone getting banned for anything. I have a lot of respect for how much DeVault puts into his open source contributions and am envious he can live off of it. That being said, he banned me on Mastodon forever ago because I reposted an open letter a professor made during the eight of the 2020 US riots. We had a discussion over DMs and he blocked me in the end.

                                                                The more I lean about some of the stuff he’s said and done, I realize I can still respect his work while still agreeing with all the others who’ve come to the conclusion his actions are often inflammatory or childish. I’m not surprised he’s banned. He left the Fediverse a few months back too.

                                                                1. 13

                                                                  Yup. I was actually pretty interested in Sourcehut, but in the end I didn’t really want to use a service run by someone that hot-headed.

                                                                  1. 1

                                                                    because I reposted an open letter a professor made during the eight of the 2020 US riots. We had a discussion over DMs and he blocked me in the end.

                                                                    What was the nature of the letter?

                                                                  2. 7

                                                                    There are two issues here:

                                                                    • banning the user
                                                                    • banning the domain

                                                                    The reason for banning the user account was reported by the admin as apparently rude comments/encouraging arguments/arguing? The comments were usually upvoted though as far as I remember so I think the decision was mostly arbitrary.

                                                                    The domain was blocked just because the admin banned the author from lobsters, not because there was something wrong with the content on that website. Drew wasn’t even the one posting his blog posts here.

                                                                    Therefore at least one of those decisions is nonsensical.

                                                                    You can try to create a website with semi-transparent moderation policies but that will never fix the standard power abuse by moderators like in this situation. The personal grievances usually win and no moderation log will fix this. The community enjoyed the content and @pushcx didn’t => the comments and the domain get nuked off the website.

                                                                    I tried to get an answer at least to why the domain was banned but of course I never did (in the name of transparency).

                                                                    1. 3

                                                                      The reason for banning the user account was reported by the admin as apparently rude comments/encouraging arguments/arguing? The comments were usually upvoted though as far as I remember so I think the decision was mostly arbitrary.

                                                                      The domain was blocked just because the admin banned the author from lobsters, not because there was something wrong with the content on that website. Drew wasn’t even the one posting his blog posts here.

                                                                      I disagree with your opinion that his behavior on the site was not rude, though I didn’t look closely at all of his posts so I can’t say for certain. What I do agree with is the domain ban. The ban itself seemed unclear and arbitrary. Moreover, as you mentioned, a domain ban affects much more than just a user, it affects all content on that domain.

                                                                      1. 1

                                                                        Negative comments are deleted when users are banned or leave; you won’t find any of his egregious comments here.

                                                                    2. 5

                                                                      For my sins I’m tracking every submission to lobste.rs.

                                                                      Here’s a gist with an extract of submissions matching ‘drewdevault’ in the URL. I consider a comments/score ration above 1.25 “controversial”.

                                                                      Hopefully this can give a sampling of how Devault’s content was received by the community here.

                                                                    1. 2

                                                                      Running OpenBSD on an RPI3 is much easier than it seems, only non-standard RPI requirement is doing an actual install from the SD card and requiring a serial terminal our external monitor/keyboard instead of just flashing an image and booting.

                                                                      One trick I ended up doing post-install was mounting /tmp as type mfs to avoid writes to the SD card when possible.

                                                                      It’s overall stable and there are a good number of arm64 pkgs to install and setup smaller network appliances like a dnscrypt-proxy or a gemini capsule.

                                                                      1. 1

                                                                        terminal

                                                                        s/terminal/console/

                                                                      1. 7

                                                                        I had to do some digging through the linked tweets to figure out what Proctorio was. If the author is reading, it might be worth giving a brief summary of the technology you’re criticizing for those unfamiliar with it.

                                                                        1. 1

                                                                          Yup, it does seem to be (un)popular in a specific country or a region.

                                                                        1. 6

                                                                          I just use a shell scripts with defaults write commands and for software, I use a Brewfile for Homebrew. Mostly works well.

                                                                          1. 3

                                                                            Same here - /bin/sh script with lots of defaults, installer, etc. lines. Assembled over the years, one-touch CLI-only setup - does 100% of what I need it to do.

                                                                            Hooking all of the work Macs up to an existing SaltStack server has been on my TODO list for a while now but it’s always on the back burner.

                                                                            1. 3

                                                                              If you install the mas package, your Brewfile will have the versions of software you’ve downloaded from the Mac App Store. It’s pretty nice.

                                                                              1. 4

                                                                                Jakub Konka! Can’t you read!? ;^)

                                                                              1. 2

                                                                                It’s a shame there’s no standard way to filter emails… oh, wait!

                                                                                1. 2

                                                                                  sieve.info

                                                                                  Now that’s a name I’ve not heard in a long time…

                                                                                  1. 1

                                                                                    I use it every day and can’t imagine how one can use email effectively without it :^)

                                                                                    1. 1

                                                                                      We used it at $work[-1]. Sadly it was the only sane part of that particular setup.

                                                                                1. 2

                                                                                  Also macOS still doesn’t support it with the included OpenSSH.

                                                                                  1. 1

                                                                                    What else is new!? ;^)

                                                                                    brew install openssh
                                                                                    
                                                                                  1. 12

                                                                                    Seems like a lot more hassle than just using Bitwarden, be it cloud, or self-hosted. especially on mobile. Plus even if not as secure, 2FA in bitwarden is great

                                                                                    1. 5

                                                                                      It’s more initial setup, but after that point depending upon your workflow it can be less hassle. In my case I’ve got it hooked up with fzf in my TWM so it’s more efficient than any proprietary UI could ever be. And long term there’s less hassle in using standard, multipurpose, open source tools like gpg and git.

                                                                                      1. 5

                                                                                        Oh, I would be totally onboard, but since I use passwords and 2fa on mobile a lot, not having the autofill capabilities on that app the article linked is a bit of a hinderance, along with other niceties. For my usecases, bitwarden is open source enough to satisfy that.

                                                                                        But if I think about it, I can see the benefit in the simplicity of this workflow if you don’t need the features I depend on, or they extra app switching doesn’t bother you.

                                                                                        I tried pass a long time ago, probably around when it first came out and liked it, just mobile was always a sticking point, and syncing everything. I mean thats solved with stuff like Seafile, Nextcloud, dropbox, syncthing, rsync, etc. But it being built into what I am using is just a time saver.

                                                                                        I will also admit hat I am not as privacy-conscious as many are.

                                                                                        1. 11

                                                                                          Hi, Android Password Store maintainer here. The app does support Autofill, and does it rather well (even if I say so myself).

                                                                                          I assume the author is on a very old Android version which doesn’t have native Autofill capabilities. The mention of overlays probably is about System Alert Windows, which apps used pre-Android 8.0 to present Autofill UIs. The accessibility and clipboard backed implementation that was used before native Autofill is extremely buggy and unsafe, so we’ve opted to completely remove it in our development branch.

                                                                                          Another possibility is that they accidentally installed our legacy version that hasn’t been updated in a couple years, and was marked as archived on F-Droid but I presume stays accessible even today. Here’s the currently maintained version.

                                                                                          If neither of them are true /u/rhardih, please email me at aps@msfjarvis.dev with some info about your phone and Android version, and I’d love to sort this out :)

                                                                                          1. 4

                                                                                            Hi, this was totally a blunder on my part. I didn’t see it showing up in the Autofill menu next to LastPass and didn’t really think about it more than that, because I personally didn’t mind having to copy paste a bit.

                                                                                            I’m guessing it’s disabled by default, because it’s necessary to trigger the “Auto-fill service” system settings page when enabling, in order to choose Password Store as default.

                                                                                            I’m sorry for the misunderstanding. I’ve updated the post with a correction.

                                                                                            1. 3

                                                                                              Thanks for the prompt correction! We recommend users to enable Autofill from within the app since it allows us to present each currently installed browser’s Autofill support level upfront, so that users can adjust their expectations. This was mostly necessary back when Chromium-based browsers had absolutely terrible Autofill support, but is slightly less useful now that all the patches my co-maintainer has been pushing to Chromium have reached the stable channel with Chrome 89.

                                                                                            2. 2

                                                                                              Oh, cool, thank you for clarifying that and thank you for working on the app. I know it might not be for some, but it definitely solves a need for many, and I respect that and appreciate your efforts on the app.

                                                                                              I might check it out for work related stuff.

                                                                                              1. 2

                                                                                                Thanks a lot for your kind words :)

                                                                                        2. 2

                                                                                          It isnt. I host my password store on a git directory on my server and just use that to keep it updated on my phone and anything else. I also use rofi so having pass-otp and rofi-pass really makes it great on my desktop for example. The android app also just works with otp codes.

                                                                                          1. 1

                                                                                            I’m also in favour of a more seamless setup and am heading towards Bitwarden setup myself, albeit slowly.

                                                                                            Recently, I’ve been made aware of a 3rd-party command line client for Bitwarden - rbw - it lacks some basic functionality, i.e. one can only edit the pass{word,phrase}, but it’s quite usable otherwise.

                                                                                          1. 1

                                                                                            Does anyone know the backstory on this one? Did I miss Internet Drama™?

                                                                                            1. 4

                                                                                              other thread: https://lobste.rs/s/cqdh3x/wireguard_for_freebsd_development_for_13

                                                                                              No idea of the veracity of any of the below…

                                                                                              some backstory: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247853#c7

                                                                                              more backstory: https://lists.zx2c4.com/pipermail/wireguard/2021-March/006494.html

                                                                                              even more: https://lists.freebsd.org/pipermail/freebsd-hackers/2021-March/057082.html

                                                                                              yellow site thread: https://news.ycombinator.com/item?id=26475519

                                                                                              Do note: FWIW, Netgate does seem (at least from my perspective) to have a bit of a history of being kind of… weirdly hostile about some stuff? Example: whole opnsense badmouthing thing (domain registration, reddit community creation, etc). On the other hand, also known for contributing code to FreeBSD and donating to FreeBSD. Unsure what to make of it.

                                                                                              1. 3

                                                                                                From my perspective, it was great that Netgate got the ball rolling on in-kernel FreeBSD wireguard. They clearly have a commercial stake in it but they contributed it to the FreeBSD project, even if it lacked important features (jail support) and they just dropped off the code and walked.

                                                                                                Clearly there were code quality and some security issues and Netgate was caught off guard and embarrassed, which no one likes to be. To me the part that is the worst of all of this is what Scott tried to pull in his private communication to Jason:

                                                                                                On Mon, Mar 15, 2021 at 6:08 PM Scott Long wrote:

                                                                                                I’ve also spoken with the FreeBSD Security Officer, and we’ve agreed that wireguard will be removed from all branches of FreeBSD until further notice. I’ve also informed Kyle of this. I do not support its reintroduction into FreeBSD, whether in the src tree or in the ports tree, at this time. As for pfSense, we are conducting an audit and will decide on the best course of action for our customers and our company.

                                                                                                That sort of “take the ball and go home” shit is not at all professional and trying to lean on the security team to enforce your grudge is messed up.

                                                                                                1. 2

                                                                                                  I also feel like calling out the original status of that patch was correct. Some of the issues (like sleeping against race conditions, copying 40KLOC from linux and put a bunch of ifdefs around) have a very bad taste for me.

                                                                                                2. 3

                                                                                                  The Ars Technica article that forms the base of the HN submission is pretty good, IMO: https://arstechnica.com/gadgets/2021/03/in-kernel-wireguard-is-on-its-way-to-freebsd-and-the-pfsense-router/

                                                                                                  1. 2

                                                                                                    yellow site thread: […]

                                                                                                    Surely, you meant orange, no? ;^)

                                                                                                    1. 1

                                                                                                      haha. Indeed!