From cwebber@dustycloud.org Tue Nov 3 16:32:16 2015 Return-Path: X-Original-To: userops@mediagoblin.org Delivered-To: userops@mediagoblin.org Received: from dustycloud.org (dustycloud.org [50.116.34.160]) by mail.mediagoblin.org (Postfix) with ESMTP id B6370326E7 for ; Tue, 3 Nov 2015 16:32:16 -0500 (EST) Received: from earlgrey (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 2174426779; Tue, 3 Nov 2015 16:32:16 -0500 (EST) References: <878u7rsuak.fsf@dustycloud.org> From: Christopher Allan Webber To: Asheesh Laroia Date: Tue, 03 Nov 2015 15:31:21 -0600 In-reply-to: Message-ID: <87fv0mg467.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain Cc: Userops Subject: Re: [Userops] Userops Acid Test v0.1 X-BeenThere: userops@mediagoblin.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Server deployment by the people, for the people!" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 21:32:16 -0000 Asheesh Laroia writes: > On Sun, Sep 27, 2015 at 9:20 AM, Christopher Allan Webber < > cwebber@dustycloud.org> wrote: > >> Hello all, >> >> I thought it would be useful for me to write up, in an >> implementation-agnostic form, a clear example of what I think >> (personally) are a set of useful requirements for a Userops type system. >> So here's a braindump of what I see are essential properties of such a >> system... >> >> http://dustycloud.org/blog/userops-acid-test/ >> >> I wrote this up independently, and I'm sure I'm missing some things. >> Consider this Userops Acid Test v0.1? >> > > FWIW the original Acid Test gives users a very quick binary: The thing > looks visually correct, or it doesn't. > > You can look at http://acid2.acidtests.org/#top and > http://www.w3.org/Style/CSS/Test/CSS1/current/test5526c.htm to get a sense > of that. > > So I propose that a userops Acid Test should have a boolean answer, even if > the answer ends up being "No for a stupid reason" for one system or > another. We can all live with that. I think this was an issue with Acid > Test 1, but I think that everyone lived with it. It took me half a month to reply to this (eek!) but I agree, "acid test" was probably not a good name choice... this is not a very good pass/fail type test. It's something that involves a bit more subjective ranking. Which is probably still useful, but probably not something that should be called "acid test"! From cwebber@dustycloud.org Tue Nov 3 17:13:30 2015 Return-Path: X-Original-To: userops@mediagoblin.org Delivered-To: userops@mediagoblin.org Received: from dustycloud.org (dustycloud.org [50.116.34.160]) by mail.mediagoblin.org (Postfix) with ESMTP id 827D63273E for ; Tue, 3 Nov 2015 17:13:30 -0500 (EST) Received: from earlgrey (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 37B5B26779; Tue, 3 Nov 2015 17:13:30 -0500 (EST) References: <878u7rsuak.fsf@dustycloud.org> From: Christopher Allan Webber To: Asheesh Laroia Date: Tue, 03 Nov 2015 15:32:53 -0600 In-reply-to: Message-ID: <87egg6g29h.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain Cc: Userops Subject: Re: [Userops] Userops Acid Test v0.1 X-BeenThere: userops@mediagoblin.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Server deployment by the people, for the people!" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 22:13:30 -0000 Asheesh Laroia writes: > Sorry to keep self-replying here. > > Another aspect for your "Security" list: > > * Automatic updates. > > People don't update the free software they self-host. Mozilla doesn't; > Pirate Party doesn't; La Quadrature du Net doesn't; Wikimedia doesn't; > Framasoft doesn't; and so on. You can see the evidence for that here: > http://blog.etherpad.org/2015/03/04/update-your-etherpad/ > > So we now have the data: if there are no auto-updates, people do not > update, even with free software. The world has run the study, and the blog > post at etherpad.org shows the data. > > I write the above _intending_ to sound dogmatic; I think this is a lesson > that the free software world as a whole has not learned, so I am passionate > about making the point. I think the auto-update approach has a problem: it means that every application becomes its own package manager. I don't think we're going to reduce the complexity of our systems via this approach. I already have too many package managers to handle! Each of my applications having one won't make things easier for me, I think. However the blogpost is good, it definitely appropriately raises the right concerns. It's extremely worrying that even largeish free software orgs can't manage to get their stuff updated. However I think going into detail about that will move back towards the motivations for "userops" in the first place... so good to see more motivation for doing userops things! From bounces+1573515-9459-userops=mediagoblin.org@smtp.sandstorm.io Tue Nov 3 17:25:37 2015 Return-Path: X-Original-To: userops@mediagoblin.org Delivered-To: userops@mediagoblin.org Received: from o1.smtp.sandstorm.io (o1.smtp.sandstorm.io [50.31.58.214]) by mail.mediagoblin.org (Postfix) with ESMTPS id AFC0732852 for ; Tue, 3 Nov 2015 17:25:37 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sandstorm.io; h=mime-version:in-reply-to:references:from:subject:cc:content-type; s=smtpapi; bh=RQv32Nwz/59oQDXALYZPNjWvGRA=; b=Mftd5Vhx8mwTXVRyHo rdrBRidYRvju4TX34wn06BeRUYz9mrkIRwcZpM3/O34iTkqZnpwRvpe+eYcuzQaT +Wr60VLFHH7P7HYurHAeSnXcWCx6NRX1YygxFaAUqU+4cxBTy+UofkIiEJphUx0W /gt7RHJgkt9OtnSxHwgjoDeo4= Received: by filter0414p1mdw1.sendgrid.net with SMTP id filter0414p1mdw1.28348.5639345A48 2015-11-03 22:25:30.61145118 +0000 UTC Received: from mail-ig0-f177.google.com (mail-ig0-f177.google.com [209.85.213.177]) by ismtpd0003p1iad1.sendgrid.net (SG) with ESMTP id lYAsQU8bS_KKaqHQ566qlw for ; Tue, 03 Nov 2015 22:25:30.455 +0000 (UTC) Received: by igpw7 with SMTP id w7so91358113igp.0 for ; Tue, 03 Nov 2015 14:25:30 -0800 (PST) X-Gm-Message-State: ALoCoQlHKAvU3cVWuW4nVJtsYiqxpYHSvMSlFOdnq+AFXiUonx5l18a6/z5zTPmi7hO47lmy75Br X-Received: by 10.50.134.98 with SMTP id pj2mr20418816igb.46.1446589530189; Tue, 03 Nov 2015 14:25:30 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.207.194 with HTTP; Tue, 3 Nov 2015 14:25:10 -0800 (PST) In-Reply-To: <87egg6g29h.fsf@dustycloud.org> References: <878u7rsuak.fsf@dustycloud.org> <87egg6g29h.fsf@dustycloud.org> From: Asheesh Laroia Date: Tue, 3 Nov 2015 14:25:10 -0800 Message-ID: Cc: Userops Content-Type: multipart/alternative; boundary=047d7b343a42154e530523aa5f6a X-SG-EID: QjF5jAKuX5uulC7Ixj1IkgZFAw0QtRXkTr0mdE8R6yGI8JVqyRh/lvVMJeSLKdSdCDPuZU/Q/ObetZ tjyNo9Qa34gHIuI+N1LcOtV2s2v4xp7Nzwohh9X5LvSJHz80Q4JmRNijp3v7Br0bwEkFSbPVtRTX+M mV2ltDTYVs9g3lEBoxUtYW6wPWlGJWrCNsBW Subject: Re: [Userops] Userops Acid Test v0.1 X-BeenThere: userops@mediagoblin.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Server deployment by the people, for the people!" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 22:25:37 -0000 --047d7b343a42154e530523aa5f6a Content-Type: text/plain; charset=UTF-8 On Tue, Nov 3, 2015 at 1:32 PM, Christopher Allan Webber < cwebber@dustycloud.org> wrote: > Asheesh Laroia writes: > > > Sorry to keep self-replying here. > > > > Another aspect for your "Security" list: > > > > * Automatic updates. > > > > People don't update the free software they self-host. Mozilla doesn't; > > Pirate Party doesn't; La Quadrature du Net doesn't; Wikimedia doesn't; > > Framasoft doesn't; and so on. You can see the evidence for that here: > > http://blog.etherpad.org/2015/03/04/update-your-etherpad/ > > > > So we now have the data: if there are no auto-updates, people do not > > update, even with free software. The world has run the study, and the > blog > > post at etherpad.org shows the data. > > > > I write the above _intending_ to sound dogmatic; I think this is a lesson > > that the free software world as a whole has not learned, so I am > passionate > > about making the point. > > I think the auto-update approach has a problem: it means that every > application becomes its own package manager. I don't think we're going > to reduce the complexity of our systems via this approach. I already > have too many package managers to handle! Each of my applications > having one won't make things easier for me, I think. > If a prescriptive approach ("You MUST auto-update to be userops compliant") doesn't work for you, I wonder if you'd prefer an empirical one -- for example, userops researchers should be scanning a random sample of installed systems of Debian's new web app packaging, guix, sandstorm, etc. and finding out if people are vulnerable to security bugs in outdated web apps. This way, every userops system can handle this however they want, and we can find out empirically if the real practical question -- exposure to security issues in apps that leak user data -- is something that the tool has a good story for. And I'm not *sure* this is the best approach to finding out empirically if people are vulnerable to app bugs, but IMHO this is a hugely serious issue (as per blog post I linked-to; the bugs defeat all user privacy on these Etherpads) so I think the Userops "Is this system good or not?" would be remiss to not consider app bugs one way or another. If you wish, I can probably be responsible for writing the scanning tool, though I'd hope someone else would step up to do it instead of me! Curious what you make of that idea. And taking a month or two to reply is fine, honestly! --047d7b343a42154e530523aa5f6a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= ue, Nov 3, 2015 at 1:32 PM, Christopher Allan Webber <= cwebber@dustycl= oud.org> wrote:
Ashee= sh Laroia writes:

> Sorry to keep self-replying here.
>
> Another aspect for your "Security" list:
>
> * Automatic updates.
>
> People don't update the free software they self-host. Mozilla does= n't;
> Pirate Party doesn't; La Quadrature du Net doesn't; Wikimedia = doesn't;
> Framasoft doesn't; and so on. You can see the evidence for that he= re:
> http://blog.etherpad.org/2015/03/04/up= date-your-etherpad/
>
> So we now have the data: if there are no auto-updates, people do not > update, even with free software. The world has run the study, and the = blog
> post at etherpad.org shows the data.
>
> I write the above _intending_ to sound dogmatic; I think this is a les= son
> that the free software world as a whole has not learned, so I am passi= onate
> about making the point.

I think the auto-update approach has a problem: it means that every<= br> application becomes its own package manager.=C2=A0 I don't think we'= ;re going
to reduce the complexity of our systems via this approach.=C2=A0 I already<= br> have too many package managers to handle!=C2=A0 Each of my applications
having one won't make things easier for me, I think.

If a prescriptive approach ("You MUST auto-update to= be userops compliant") doesn't work for you, I wonder if you'= d prefer an empirical one -- for example, userops researchers should be sca= nning a random sample of installed systems of Debian's new web app pack= aging, guix, sandstorm, etc. and finding out if people are vulnerable to se= curity bugs in outdated web apps.

This way, every = userops system can handle this however they want, and we can find out empir= ically if the real practical question -- exposure to security issues in app= s that leak user data -- is something that the tool has a good story for.

And I'm not *sure* this is the best approach to= finding out empirically if people are vulnerable to app bugs, but IMHO thi= s is a hugely serious issue (as per blog post I linked-to; the bugs defeat = all user privacy on these Etherpads) so I think the Userops "Is this s= ystem good or not?" would be remiss to not consider app bugs one way o= r another.

If you wish, I can probably be responsi= ble for writing the scanning tool, though I'd hope someone else would s= tep up to do it instead of me!

Curious what you ma= ke of that idea. And taking a month or two to reply is fine, honestly!
--047d7b343a42154e530523aa5f6a-- From shtrom+userops@ssji.net Tue Nov 3 17:53:50 2015 Return-Path: X-Original-To: userops@mediagoblin.org Delivered-To: userops@mediagoblin.org Received: from atp-mxout1.it.nicta.com.au (atp-mxout1.it.nicta.com.au [221.199.216.122]) by mail.mediagoblin.org (Postfix) with ESMTPS id 8A84A32714 for ; Tue, 3 Nov 2015 17:53:50 -0500 (EST) Received: from atp-exchmbx1.it.nicta.com.au ([221.199.216.119] helo=atp-exchmbx1.in.nicta.com.au) by atp-mxout1.it.nicta.com.au with esmtp (Exim 4.80) (envelope-from ) id 1ZtkSU-0007Ry-4d; Wed, 04 Nov 2015 09:53:46 +1100 Received: from ATP-EXCHCAS1.in.nicta.com.au (221.199.216.118) by atp-exchmbx1.in.nicta.com.au (221.199.216.119) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 4 Nov 2015 09:53:40 +1100 Received: from blasturvion (221.199.216.112) by atp-exchcas1.in.nicta.com.au (221.199.216.118) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 4 Nov 2015 09:53:39 +1100 Received: by blasturvion (sSMTP sendmail emulation); Wed, 04 Nov 2015 09:53:39 +1100 Date: Wed, 4 Nov 2015 09:53:39 +1100 From: Olivier Mehani To: Asheesh Laroia Message-ID: <20151103225339.GA1275@blasturvion.dynhost.nicta.com.au> References: <878u7rsuak.fsf@dustycloud.org> <87egg6g29h.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s" Content-Disposition: inline In-Reply-To: X-Accept-Language: fr, en, es OpenPGP: id=4435CF6A7C8DDD9BE2DEF5F9F012A6E298C66655; preference=signencrypt; url=https://olivier.mehani.name/olivier.mehani.pgp.asc User-Agent: Mutt/1.5.24 (2015-08-30) X-TM-AS-Product-Ver: SMEX-11.0.0.1251-8.000.1202-21920.003 X-TM-AS-Result: No--21.812700-8.000000-31 X-TM-AS-User-Approved-Sender: No X-TM-AS-User-Blocked-Sender: No Cc: Userops Subject: Re: [Userops] Userops Acid Test v0.1 X-BeenThere: userops@mediagoblin.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Server deployment by the people, for the people!" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 22:53:50 -0000 --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 03, 2015 at 02:25:10PM -0800, Asheesh Laroia wrote: > > I think the auto-update approach has a problem: it means that every > > application becomes its own package manager. I don't think we're going > > to reduce the complexity of our systems via this approach. I already > > have too many package managers to handle! Each of my applications > > having one won't make things easier for me, I think. I agree with the disagreement with auto-update. You want one package manage to rule them all, or at least a very small number thereof. > If a prescriptive approach ("You MUST auto-update to be userops compliant= ") > doesn't work for you, I wonder if you'd prefer an empirical one -- for > example, userops researchers should be scanning a random sample of > installed systems of Debian's new web app packaging, guix, sandstorm, etc. > and finding out if people are vulnerable to security bugs in outdated web > apps. > And I'm not *sure* this is the best approach to finding out empirically if > people are vulnerable to app bugs, but IMHO this is a hugely serious issue > (as per blog post I linked-to; the bugs defeat all user privacy on these > Etherpads) so I think the Userops "Is this system good or not?" would be > remiss to not consider app bugs one way or another. That's a good idea. Beyond auto-update, one thing that, for example, Wordpress does is to send you email about new version. Not necessarily installing them, but letting you know about that, so you know something needs to be done. I wouldn't have issues with any web-app sending me an email about being out of date. There is a privacy issue with pinging home, though. One better option would be selective subscription to update and CVEs: your system knows what packages are installed. Everyday, it could download a fresh version of the new CVEs (and similar for version, but this is really what apt already does), check the list for any package you have installed, and send you a personalised email telling you what's wrong with your system. All locally. --=20 Olivier Mehani PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted. --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAABCgBmBQJWOTryXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MzA1NjQ3NTk5QUQ1MUVBNTkxREJDRkRF OTU2NkI5RDA5NTdEMkQzAAoJEOlWa50JV9LTGaEH/0/vhLJHez5E+jybOna8Zomh Id8mtSacOkI29i8Gy/2lEQeyvfNduf8YY/2qmZ07/tQksLDQAaX+SjTRvLJQdlcT KacGTsS9X4AuiW0+wgkmfjpt0nFgLc/4HdcT1J5rsOUGOEBiu5wfzMkrC2q3CMnk p/zFQsA3X3SC4y7oW1VzeXEfvdpz3YkDHC7+PAIjIyzseimoxFa+DsHbi77hO1Vq 0vtXpqFT9pHo4THR077WqRDaQOzm8tF0nrISH96adrqxM67zi1Mk/p0iVt34TO+p R1KGBG2erTvAkY9aHpQoQ51TKQ2wnh3mug1nbSsGJQhznnNRAne0iUJCrzcOwYc= =+a+Z -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s-- From cwebber@dustycloud.org Wed Nov 4 11:28:46 2015 Return-Path: X-Original-To: userops@mediagoblin.org Delivered-To: userops@mediagoblin.org Received: from dustycloud.org (dustycloud.org [50.116.34.160]) by mail.mediagoblin.org (Postfix) with ESMTP id ED617338C4 for ; Wed, 4 Nov 2015 11:28:46 -0500 (EST) Received: from earlgrey (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 5918B26789; Wed, 4 Nov 2015 11:28:46 -0500 (EST) References: <878u7rsuak.fsf@dustycloud.org> <87egg6g29h.fsf@dustycloud.org> From: Christopher Allan Webber To: Asheesh Laroia Date: Wed, 04 Nov 2015 10:28:36 -0600 In-reply-to: Message-ID: <8737wlg24h.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain Cc: Userops Subject: Re: [Userops] Userops Acid Test v0.1 X-BeenThere: userops@mediagoblin.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Server deployment by the people, for the people!" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 16:28:47 -0000 Asheesh Laroia writes: > On Tue, Nov 3, 2015 at 1:32 PM, Christopher Allan Webber < > cwebber@dustycloud.org> wrote: > >> Asheesh Laroia writes: >> >> > Sorry to keep self-replying here. >> > >> > Another aspect for your "Security" list: >> > >> > * Automatic updates. >> > >> > People don't update the free software they self-host. Mozilla doesn't; >> > Pirate Party doesn't; La Quadrature du Net doesn't; Wikimedia doesn't; >> > Framasoft doesn't; and so on. You can see the evidence for that here: >> > http://blog.etherpad.org/2015/03/04/update-your-etherpad/ >> > >> > So we now have the data: if there are no auto-updates, people do not >> > update, even with free software. The world has run the study, and the >> blog >> > post at etherpad.org shows the data. >> > >> > I write the above _intending_ to sound dogmatic; I think this is a lesson >> > that the free software world as a whole has not learned, so I am >> passionate >> > about making the point. >> >> I think the auto-update approach has a problem: it means that every >> application becomes its own package manager. I don't think we're going >> to reduce the complexity of our systems via this approach. I already >> have too many package managers to handle! Each of my applications >> having one won't make things easier for me, I think. >> > > If a prescriptive approach ("You MUST auto-update to be userops compliant") > doesn't work for you, I wonder if you'd prefer an empirical one -- for > example, userops researchers should be scanning a random sample of > installed systems of Debian's new web app packaging, guix, sandstorm, etc. > and finding out if people are vulnerable to security bugs in outdated web > apps. > > This way, every userops system can handle this however they want, and we > can find out empirically if the real practical question -- exposure to > security issues in apps that leak user data -- is something that the tool > has a good story for. > > And I'm not *sure* this is the best approach to finding out empirically if > people are vulnerable to app bugs, but IMHO this is a hugely serious issue > (as per blog post I linked-to; the bugs defeat all user privacy on these > Etherpads) so I think the Userops "Is this system good or not?" would be > remiss to not consider app bugs one way or another. > > If you wish, I can probably be responsible for writing the scanning tool, > though I'd hope someone else would step up to do it instead of me! > > Curious what you make of that idea. And taking a month or two to reply is > fine, honestly! That's a direction I think makes a lot of sense!