Mea Culpa - that handle ‘NoHaikuForMe’ was fair enough Troll-Warning that I should not have wasted the time. And not just an average troll, either…
Giving credit where it is due, I must say that the amount of contradiction you manage to squeeze into each single sentence is only exceeded by its misinformation content.
Dr. Pauli had your number first:
‘That’s not right. It’s not even wrong’
The fundamental problem with linux is that a linux system is made out of so many moving parts from different groups, and put together by many different distros, that even if some of the parts are shiny, the entire system acts like crap. Until the linux community standardizes behind a single linux platform and one ‘bugzilla’, I just don’t see how assorted security features here and there will amount to much.
devs don’t check the forums because they don’t want to deal with all the trolls
Well I’ve been checking them pretty often lately, though I’m not exactly Axel or Ingo who are some of the real heavy lifters as far as the Haiku developers are concerned. But these forums could certainly be referenced when work begins in areas being discussed, like security in this case.
As for trolls, I don’t think we have too many, and I don’t think NoHaikuForMe is that bad of a troll. Assuming he is male: his nickname is certainly inflammatory but his knowledge of technology is pretty good, and a lot of the critiques of Haiku he has made are fairly accurate.
My main gripe is he assumes the flaws in Haiku are permanent, like many Haiku detractors, when more than likely they are not.
I like the idea of keeping Haiku single user - since it is supposed to be a fast, light desktop OS and computers are more personal now than ever before.
Maybe a single optional login password for preventing just anyone from using your computer.
When it comes to a networked environment, I think there could be a UNIX daemon or 3 which act as a haiku workgroup server and allow people to log into Haiku as a workstation user.
So: single user for local machine, OR one network-user at a time, communicating with a UNIX based server daemon that manages logons / file quotas, etc. That way, Haiku remains a speedy, nimble single user desktop OS, but has a future as a workstation on a network, too.
‘keeping’ an already multi-user OS (which Haiku is) single user would require a rewrite…
More or less what is presently imposed by developer’s fiat, moreover, with the default user selection scripted, and the ability to add more than the basic few or change passwords presently locked-down. No change to that needed to suit what you are asking for.
Already provided for in the form of a separate identity for the sshd daemon.
I haven’t looked at what the httpd daemon runs as (PoorBoy?), but ‘top’ will show one that there are already separate credentials of one kind or another for several ‘team’ daemon-runners.
[quote]
So: single user for local machine, OR one network-user at a time, communicating with a UNIX based server daemon that manages logons / file quotas, etc. That way, Haiku remains a speedy, nimble single user desktop OS, but has a future as a workstation on a network, too.[/quote]
Haiku already supports multiple simultaneous ssh network sessions with different user ID’s from different remotes. Some fiddling required to set up the credentials, but it works well enough. No gain is taking it back out, either.
Generally, the physical count of kbd/video/mouse is going to limit most desktops to one user ‘at a time’ more pragmatically than the OS.
When it comes to ‘remote’, even CP/M on a Z80 could handle multiuser apps - and did so. They just had to be in the app, not the executive (Point Of Sale and BBS systems).
Anyway …
Single vs multi user design does not necessarily equate to speed differential or even code weight. More of that depends on how MUCH work is to be done at a given point in time than ‘for whom’ it is to be performed. Likewise, how much of that work is ‘bound’ by other-than code execution time.
Think waiting on keystrokes, mouse movements, HDD access, or network I/O. Not much work, unless your OS were to be 100% ‘polling’ driven…
[quote=leavengood]
My main gripe is he assumes the flaws in Haiku are permanent, like many Haiku detractors, when more than likely they are not.[/quote]
Nothing is permanent, and so the opposite problem is the tendency to look at where we are now, and take that as a fixed landscape against which Haiku will evolve. I’ve said before and will again that it’s a Red Queen’s race. Every other OS is evolving too. In Redmond, Microsoft’s engineers will have been working on the successor to Windows 7 for months already.
When work on Haiku began in 2001 you could have looked at the landscape at that moment and concluded that most people only use a desktop PC, they have no more than 1GiB RAM, they have AC97 audio, and they use DSL or Cable at maybe 1 Mbit/s to read blog pages and write email. Haiku today is actually not that badly equipped for such a system. But it scarcely matters, because it isn’t 2001 any more.
Some detractors of the original OpenBeOS concept felt that the BeOS R5 goal was short sighted because they wouldn’t have an OS until say 2010 and by then all the assumptions would change. They were shot down by people who insisted that it wouldn’t take nearly that long to bring OpenBeOS to fruition.
2010 is now two months away.
But this has swung wildly off topic.
Bill Hacker,
Thanks for your response - to clarify my post, I was referring to having one standard user login (as now) but possibly with a single, higher-privilege workgroup settings panel (password configured at Haiku install time) for enabling authentication against a network server, providing access to shared resources for Haiku clients, etc. Since Haiku defines itself as a Desktop operating system, any server OS capable of running the daemon(s) could take care of the authentication of Haiku clients - including file share / quota provisioning, ldap settings etc for any given network user. The network users could then be defined in accounts in the server side daemon config.
[quote=philcostin]Bill Hacker,
Thanks for your response - to clarify my post, I was referring to having one standard user login (as now) but possibly with a single, higher-privilege workgroup settings panel (password configured at Haiku install time) for enabling authentication against a network server, providing access to shared resources for Haiku clients, etc. Since Haiku defines itself as a Desktop operating system, any server OS capable of running the daemon(s) could take care of the authentication of Haiku clients - including file share / quota provisioning, ldap settings etc for any given network user. The network users could then be defined in accounts in the server side daemon config.[/quote]
Aside from not (presently) requiring any login at all - which a screensaver lock can ameliorate slightly, AFAICS the rest is already there.
One of the first things I did with Haiku was ssh in to a Unix server.
I haven’t had the need to mount smbfs or NFS, but if they are not already there, it would be trivial to import both. AFS and the like - needing kerberos or Heimdahl may be in there somwhere too. No lazy way to test those.
As you say - login based on the server end - so ‘already here’.
Haiku makes for really nice readability, has great terminal scrollback and handy ‘zoom’.
But I hope it grows into a lot more than just a better terminal than an HP-200 LX.
… which did have password security. And file encryption.
If you are a developer - there’s a chance that you’ve seen some projects that have gone wrong. Huge, bloated, badly designed - piece by piece, very hard to maintain. Adding new features is a pain - you have to make changes all over the codebase, often using hacks, accidentaly breaking a lot of seemingly unrelated stuff in the process. Just finding what to change in order to add a simple feature can often be a daunting task. And it keeps getting worse.
Windows and Linux have all the characteristics of such projects.
There’s a reason it took Microsoft so many years and manpower to get from WindowsXP to Vista (5+ years, hundreds, if not thousands of developers and for what?). There’s a reason why it took the Linux desktop so many years to catch-up with Windows. And there’s a reason why Haiku has managed to reach it’s current state with a tiny fraction of the developers and resources that Windows and Linux needed. You can count the major Haiku contributors on the fingers of one hand. The team that was responsible for the ill-fated Vista shutdown dialog( Moishe's Blog: The Windows Shutdown crapfest ) was probably bigger than that.
The Haiku code is compact, efficient, easy to understand and above all - well designed as a complete, coherent and interoperable system that can be easily extended.
Sure, those developers did only a tiny fraction of the work. Major parts of the system (not to mention the general design) already existed and were simply imported wholesale. So while Red Hat (a major Linux distributor) has employees working on the compiler and toolchain, Haiku is content to merely re-use them with a brief credit. The FreeBSD driver developers worked from hardware documentation to create and test drivers. Haiku pastes them into a compatibility layer. Whether it is JPEG decoding, writing a line of text on the screen, connecting to a remote server, Haiku was able to have a “tiny fraction of the developers” by only doing a tiny fraction of the work.
Throughout Haiku, at least when someone remembered to leave them in, there are copyright lines or credits for thousands of other individuals and organisations which developed the software that is “Haiku”.
Another way to reduce developer numbers is to cut a lot of corners. For example you could take a critical feature of the OS and just not bother implementing it. We’ll see an example below.
[quote]
The Haiku code is compact, efficient, easy to understand and above all - well designed as a complete, coherent and interoperable system that can be easily extended.[/quote]
Security is job number one. Security mitigations are entirely absent from this “complete, coherent and interoperable” system despite being the topic of this thread. Haiku R1 alpha shipped with an unmaintained web browser. Probably some readers of this thread laugh at Windows users who run some obsolete and unpatched version of Internet Explorer - but Haiku insists that you take the same risk.
But really you can’t have intended the word “complete” there as a serious point. Haiku lacks support for most of the peripherals people own, not to mention numerous little features everyone assumes a modern OS will have - even its own developers recognise that this isn’t feature complete.
This is definitely true, but you act as if our project is the only one to use other people’s code. I’m pretty sure Linux, Mac OS X, Windows and pretty much every other OS in existence are built with some amount of “other people’s code.” Either way if those people did not want their code used it would not have been released open source. If we had written every bit of Haiku ourselves we wouldn’t be done until 2020, if that, and you already point out how long it has taken us to get this far, even using so much other code.
Also I’m pretty sure all the Haiku developers have made a very serious effort to recognize and preserve all copyrights and licenses of the code we make use of. If you feel there is some area where this was not done properly, please speak up.
Indeed, that is why we released R1 ALPHA 1, not R1, or even R1 Beta. Trying to run Haiku on some various pieces of native hardware lately has been giving me quite a bit of trouble. It is frustrating, but it is development code. Linux didn’t start off supporting every piece of hardware. Even Microsoft with Vista (and probably again with Win7) has had trouble supporting some pieces of hardware and older software.
I do appreciate some of your insights NoHaikuForMe, but I really do have to wonder why you waste your time here. We Haiku developers aren’t just going to just throw up our hands and give up on Haiku because it isn’t immediately as great as the other major operating systems (not that they are that great…let’s be honest now, they all have flaws.) And clearly you don’t find it to be a worthwhile project. It seems like we should just agree to disagree and part ways.
Lastly on the topic of this thread, Haiku may not be as secure as it could be. But besides the fact that it is still in development, I’m pretty sure it would take a VERY, VERY, VERY long time for Haiku to come even close to causing as much harm as Microsoft has with their crappy, insecure software. The day that there is a botnet of Haiku machines even close to the levels of Windows machines, I’ll concede you have a point. But I just don’t see that happening.
Now that isn’t an excuse to be sloppy, but I just don’t think the risk of real user harm is there. Microsoft captured that “market” years ago.
I don’t think so, geleto’s claim rests on the false idea that these developers have done so much with less people, and I simply showed where that argument falls apart. It’s specific to Haiku only because geleto wrote about Haiku and this is a Haiku forum.
[quote]
I do appreciate some of your insights NoHaikuForMe, but I really do have to wonder why you waste your time here.[/quote]
I’d say you’ve answered your own question. In most projects this voice would be redundant but Haiku inherits from BeOS fandom an almost entirely uncritical approach. I suspect that BeOS in turn inherited it from Apple and the reality distortion field. But wherever it came from it’s unhealthy.
[quote]
Lastly on the topic of this thread, Haiku may not be as secure as it could be. But besides the fact that it is still in development, I’m pretty sure it would take a VERY, VERY, VERY long time for Haiku to come even close to causing as much harm as Microsoft has with their crappy, insecure software. The day that there is a botnet of Haiku machines even close to the levels of Windows machines, I’ll concede you have a point. But I just don’t see that happening.[/quote]
Haiku won’t achieve the popularity of Windows, and so according to you that means security isn’t important?
What’s not to get? Haiku R1 alpha ships an old unsupported browser that has known security holes. People running that browser are at hugely increased risk to have their personal data copied. In my day job I see the kind of data that’s collected this way (not the actual data of course, unless something goes wrong, since it would be unethical to look at it unnecessarily) and it means people’s credit card number and CVV, their name and address, email addresses and passwords. Everything people type into a web browser is being collected by organised criminals.
The message from you, and apparently Haiku, seems to be “Who cares? And by the way Microsoft suck. La la la”.
In terms of absolute numbers of people, the figures are tiny. Maybe a few thousand people try Haiku and use it to buy something on the web. Maybe one of those people is unlucky and gets their identity “stolen”. Compared to the millions of people still running Internet Explorer 6 with no updates, it’s not significant, right? But in terms of Haiku it’s huge. And while Microsoft is doing whatever they can to get their users to update, Haiku is complacent.
So you are showing a more critical eye toward Haiku for no reason except that this is a Haiku forum? OK. I hope in the Linux or Gnome forums you tell them how much they suck because they still haven’t gotten the Linux desktop right even with thousands of developers and tons of corporate cash.
No matter what you think in your distorted world view the Haiku developers have achieved a lot with a little.
That’s just bullshit. Obviously you are hiding here under your user name so I have no idea who you really are, but over the years on the mailing list and in various commit messages the various problems from BeOS have been discussed and sometimes fixed in Haiku. Examples include the slow and crappy userland network stack, the lack of a GUI layout system, the lack of tooltips, the slowness of the syscalls, the slow compiling of large programs, and various problems with BFS.
We are recreating BeOS so there is obviously some respect for BeOS and most of what it represents, but the developers aren’t a bunch of fanboys who see no flaws. Get realistic. Just because a few users here show some typical fanboyism does not mean the whole project runs under that attitude.
Don’t twist my words, security is important but regardless of popularity Haiku will never impact the world in the horrible way Windows has. I think our developers care much more about security than most Microsoft programmers, based on their respective track records. Plus Haiku is an ALPHA OS, whereas Windows is on its seventh release (really more if you count properly.)
[quote=NoHaikuForMe]What’s not to get? Haiku R1 alpha ships an old unsupported browser that has known security holes. People running that browser are at hugely increased risk to have their personal data copied.
SNIP
And while Microsoft is doing whatever they can to get their users to update, Haiku is complacent.[/quote]
So all the efforts that I and Maxime Simon have been doing to port WebKit and write a new browser for Haiku are seen by you as complacency? Whatever dude, it seems that nothing Haiku does is enough for Mr/Ms NoHaikuForMe, so I won’t waste my time anymore. Haiku is an alpha OS still heavily in development and you act like it’s running the space shuttle or something.
I’d like to see you rip apart all the other operating systems with a similar approach. I don’t think any OS would stand up to your ridiculous standards.
Either way others reading this can see your over the top negative bias toward Haiku and you’ll be written off as the troll you are.
Indeed critical debate is much more healthy in the communities you’ve mentioned. On the LKML for example you have someone like Brad Spengler. Thus an outsider voice would be redundant. The response to “Linux sucks” is not “go away troll” but “show us where and we’ll fix it”. The x264 author recently wrote about his experience as a non-kernel developer of showing a problem to the LKML and getting it fixed.
The network stack change was initiated by Be, not Haiku. Similarly Be had been promising a real 1990s-type layout API for some time. We’re talking about an eight year period, and the big changes you can come up with from Haiku are one thing Be already did, and another they already planned to do.
Maybe Haiku developers care more than anyone else in human history about security, but it seems that they don’t do much about it. Meanwhile Microsoft’s programmers who you allege care much less, have been steadily introducing better security over the same eight year period in which you remind us that Haiku has yet to release anything but an alpha.
Haiku didn’t ship your WebKit based browser, it shipped an unmaintained build of Bon Echo. Where’s the warning that this is just a placeholder for a real browser and shouldn’t be used, as users would expect, to check their bank balance, buy a book on Amazon etc. ?
[quote]
Either way others reading this can see your over the top negative bias toward Haiku and you’ll be written off as the troll you are.[/quote]
That would make you the second person in this thread to announce that I’m a troll and no-one should listen to me. If it’s true that negative comments about Haiku are automatically inflammatory to Haiku users then I think you’ve tacitly accepted my earlier point.
I’m guessing that in these cases, constructive criticism is often utilized. Generally when providing constructive criticism, one tries to provide solutions along with the criticism (and no, “stop using this software because it sucks” is not a constructive solution). In a FOSS project, it’s generally hard to make everyone happy when there is more work to do than there are volunteers to do it.
In this case, I think that you’re assuming that your criticisms are constructive for the project, but to the rest of us it seems your criticisms are nothing more than attempts to frustrate the project contributors and supporters - seemingly insinuating that they are intentionally doing things wrong.
I also find it strange that you concentrate all of your criticism for Haiku here on these forums rather than on the mailing list where most of the project contributors discuss aspects of Haiku that need to be modified or changed.
In any case, I have learned over the last few years that many of your criticisms are certainly warranted, but often poorly expressed in a way that can encourage change - which is why you are often labeled as “troll” I think.
Anyhow, sorry to take this so offtopic.
Good points umccullough.
If NoHaikuForMe seriously wanted to provide constructive criticism and be taken seriously, then:
Basically all signs point to troll: “In Internet slang, a troll is someone who posts controversial, inflammatory, irrelevant, or off-topic messages in an online community, such as an online discussion forum, chat room or blog, with the primary intent of provoking other users into an emotional response or of otherwise disrupting normal on-topic discussion.”
Also if we really wanted to shut up NoHaikuForMe and stop all debate and negative criticism about Haiku we would have banned that user name long ago. But I’m sure NoHaikuForMe has a quip to explain that away too.
So why am I wasting my time here? I really would like to see NoHaikuForMe change their approach and post his or her valid complaints about Haiku on the mailing list, where more eyes can see them and maybe some of the truly broken things can be fixed. Until I see that happen I’ll always have that bad feeling of a troll when I read his or her posts here.
It’s pretty hard to offer something constructive to say about Haiku’s security. Haiku does not have security in any meaningful sense. You have perhaps heard the story of The Emperor’s New Clothes ? Every post in this thread in which Haiku’s security is non-specifically praised is like a courtier exclaiming how wonderful the emperor’s new suit is in the story.
If for some reason this is opaque to Haiku’s developers, I’d say that’s one more reason to give it a wide berth, but let’s briefly spell some of it out for one tiny corner of the problem, security updates.
• Reporting. You need a reliable means to receive reports of security problems, with one or more trusted individuals responsible for receiving the information, keeping it confidential and ensuring its acted on quickly. Without such a mechanism it’s only to be expected that all disclosures will be public, “zero day”.
• Fixes. You need to react to reported security problems from security channels, your own security contacts and in public (e.g. via Bugtraq) by identifying a correct fix, and integrating that into the software as quickly as possible.
• Distribution. You need a mechanism to distribute fixes. It should be as easy as possible for users to get fixes, while being as hard as possible for black hats to delay, undo or subvert the update process.
• Alerting. You need a reliable method to let users know they’re vulnerable. Today it would be acceptable for this means to be primarily via the Internet. Again it should be hard for black hats to block this process.
Its just a thought, but why don’t you put your wasted breath to work by working on security then writing such long-winded comments. Its a waste of time. If you really want to troll go on 4chan and whine. I do it when I’m frustrated. Your comments suck and you’re bringing nothing to the table. Also, guys, stop talking to this guy, its just pissing everyone off. NoHaikuForMe, please stop talking.
The design of your verification application seems extraordinarily invasive. Personally, I don’t want any kind of application (trusted or not) looking at my files and sending data regarding them to any external server unless I explicitly tell it to. (Like usage metrics and such)
While I agree that copy protection is important for companies who make their living selling some piece of software. Said company doesn’t have the right to write random garbage (via your program) all over my files in an attempt to hide the authenticity key they’re using to make sure I don’t pirate the software I bought. Anything they do to protect their software from piracy has to happen within the application, in which case they can take any and all precautionary measures as they see fit.
In all cases, and especially with computers, personal privacy comes before the interests of any company. Because the “User is God” and you don’t write random garbage on all of God’s files to protect the interests of corporations.