Re: [dev] Re: st: Use after free
Martin Kühne writes: > On Mon, Jan 23, 2017 at 5:11 AM, wrote: >> What I believe[...] > > Whose responsibility would it be to test what you believe? It looks a > lot like you expect us to figure out whether you are on to something > relevant. I had a dream last night and in that dream I saw the > glorious future of a moosotc figuring things out on his own. The > issues, progress and the personal role that derives from what we > accomplish this way is what gets us to places in life. > I don't think it's anyones responsibility, just that people who write stuff want to know when there are problems with what they wrote. -- mailto:moos...@gmail.com
Re: [dev] Internet privacy/decentralisation projects
now that everybody and their kitchen sink has internet it's getting a bit late for privacy. teaching people not to use android phones is a nearly pointless activity. computer security and privacy is now a luxury of the technical elite and illiterate or offline people. software has given all the means to individuals, but culture can prevent you from using software in the right way. the more time people spend their free-time online the more they synchronize to the global way of the internet kiddy culture. decentralization technically works quite nicely as can be seen with bittorrent and bitcoin. but is incomplete in some sense, because there's always a central protocol that can be attacked. the faith people had in tor made them run into the nets of spying governments. even though the tor network is in a way decentralized the number of exit nodes is limited, thus easy to observe by one centralized intelligence entity. also when people use decentralized networks like tor to access multiple personalized and centralized services like facebook, google, twitter ebay, amazon, banks, etc. obvious breaches occur. in my opinion going only one step is worse than doing nothing here: the false security people get using end-to-end encrypted messengers on their automatically updating google phones makes me cringe everytime i hear about it. as i said, all the tools are there already, it's up to the masses to adopt them (they're not). so the work that is left is not technical engagement, you have to change how people think and how they interact online, unless you're able to make them stop using other centralized services you have failed. try with a small group of people first that actually has a need for privacy. On 1/23/17, Caleb Malchik wrote: > Greetings, > > I was wondering what the suckless community thinks about various > projects aimed at Internet decentralisation and privacy - some of > which are listed here [0]. Are there any projects in this area that > are particularly promising from a suckless perspective? > > My personal reason for asking is that I have the opportunity this > spring to get paid to contribute to an open source project of my > choosing, which has a "democracy-enhancing" (or preserving) effect. Of > course all Suckless projects are democracy-enhancing in a way, but for > this I'm looking at projects with more of a focus on societal impact > and the potential for mass adoption. Projects I've looked at include > IPFS [1], cjdns [2], and Tox [3]. > > I am a relatively inexperienced programmer, so I am eager to hear what > more experienced folks have to say on this matter :) > > Cheers, > Caleb > > [0] https://github.com/redecentralize/alternative-internet > [1] https://ipfs.io/ > [2] https://github.com/cjdelisle/cjdns > [3] https://tox.chat/ > >
Re: [dev] Internet privacy/decentralisation projects
hiro wrote: > try with a small group of people first that actually has a need for privacy. Heyho, in the special case where this privacy is to be achieved not with encryption, authentication and authorization (to limit the number of entities who are allowed to learn the secret which should be protected), but with an anonymity/pseudonymity system (where actions are not attributable to the actors identity), be aware that it is not a good idea to use this system only if you need it. It would be too easy for third parties to filter all the users of the system out and assume everyone of them has something to hide. An anonymity system needs users who don't actually have a reason to use it. This is why the NSA or other investigation agencies don't have their own anonymity system to spy on their targets (they could be blocked relatively easily), but also use the more widespread systems like Tor. If you want to know more, research "cover traffic" and "anonymity set size". --Markus
Re: [dev] Internet privacy/decentralisation projects
On Mon, Jan 23, 2017 at 10:21:46AM +0100, hiro wrote: > now that everybody and their kitchen sink has internet it's getting a > bit late for privacy. teaching people not to use android phones is a > nearly pointless activity. > computer security and privacy is now a luxury of the technical elite > and illiterate or offline people. > > software has given all the means to individuals, but culture can > prevent you from using software in the right way. the more time people > spend their free-time online the more they synchronize to the global > way of the internet kiddy culture. > > decentralization technically works quite nicely as can be seen with > bittorrent and bitcoin. but is incomplete in some sense, because > there's always a central protocol that can be attacked. the faith > people had in tor made them run into the nets of spying governments. > even though the tor network is in a way decentralized the number of > exit nodes is limited, thus easy to observe by one centralized > intelligence entity. also when people use decentralized networks like > tor to access multiple personalized and centralized services like > facebook, google, twitter ebay, amazon, banks, etc. obvious breaches > occur. > > in my opinion going only one step is worse than doing nothing here: > the false security people get using end-to-end encrypted messengers on > their automatically updating google phones makes me cringe everytime i > hear about it. > as i said, all the tools are there already, it's up to the masses to > adopt them (they're not). so the work that is left is not technical > engagement, you have to change how people think and how they interact > online, unless you're able to make them stop using other centralized > services you have failed. try with a small group of people first that > actually has a need for privacy. +1 Currently, computer security hygiene is first a social and usage issue, then a technical implementation issue, and finally a mathematical and science issue. De-centralized and volatile internet "services" imply, mecanicaly, a much less comfy usage than centralized or non-massively decentralized protocols. Mecanicaly lambda users are driven to the most comfy internet "services", hence centralized or non-massively decentralized and non-volatile "services". Everything has exceptions, bittorrent makes me lie (even though some companies, proxies of US movie/music majors, are trying hard to take over the protocol by complexity, see libutp->µtorrent->bittorrent INC->Majors). Its volatility makes it a really fluid and moving "target", and only a near perfect digital dictatorship could block it, thus the sabotage or control take over with complexity (usually c++ components). Many lambda users managed to learn and use it, and that, very probably, because they could download their movie/game/series/music in a comfier/free way than getting a dvd/bluray/cd/locked down device. De-centralized services, means you can bring back those services in control of their users. For technically litterate people, that could be mitigated in a reasonable way, but not all cases. I heard of the "privacy internet boxes", basically personal email servers, personal web servers. But, I don't think a lot of email clients support email addresses with an IPv4/IPv6 address instead of a domain name. I even wonder if fatty smtp servers do support the feature too (I wrote a really minimal receiving smtp server, even the smtp protocol in itself is too fat). And with all that, your emails will end up in spam boxes of big centralized email services (gmail,yahoo...) or blocked. Freedom and privacy comes with spam, it's the price to pay. There are tons of more things to say about those, because those are really complex issues and evil there is smart and clever. -- Sylvain
[dev] Re: st: Use after free
moos...@gmail.com writes:
> `valgrind st -f mono-2 cat full-bmp.txt' [1]
>
> Yields quite a few invalid reads from freed blocks, the issue is related
> to cache management. In the real world those dangling pointer issues
> lead to segfaults or X11 errors (eventually)
>
> [1] http://www.cl.cam.ac.uk/~mgk25/ucs/full-bmp.txt
Following avoids using freed fonts.
diff --git a/st.c b/st.c
index fbcd9e0..667e7af 100644
--- a/st.c
+++ b/st.c
@@ -3783,6 +3783,7 @@ xmakeglyphfontspecs(XftGlyphFontSpec *specs, const Glyph
*glyphs, int len, int x
*/
if (frclen >= LEN(frc)) {
frclen = LEN(frc) - 1;
+ specs->font = NULL;
XftFontClose(xw.dpy, frc[frclen].font);
frc[frclen].unicodep = 0;
}
@@ -3928,7 +3929,10 @@ xdrawglyphfontspecs(const XftGlyphFontSpec *specs, Glyph
base, int len, int x, i
XftDrawSetClipRectangles(xw.draw, winx, winy, &r, 1);
/* Render the glyphs. */
- XftDrawGlyphFontSpec(xw.draw, fg, specs, len);
+ if (specs->font)
+ XftDrawGlyphFontSpec(xw.draw, fg, specs, len);
+ else
+ fprintf(stderr, "st: nil font\n");
/* Render underline and strikethrough. */
if (base.mode & ATTR_UNDERLINE) {
--
mailto:moos...@gmail.com
[dev] Re: st: Use after free
On Mon, Jan 23, 2017, at 02:48, Martin Kühne wrote: > I had a dream last night... Now now. No need to hold contempt on the mailing lists. Suckless isn't some Linux list where we go off on people who want to help but didn't read the entire codebase, wiki, and archive before posting. However, moosotc, it's always best to have even a basic working patch when reporting problems to OSS projects. Doubly so on ones that focus on code first, users second. :) Thank you for the patch.
Re: [dev] Re: st: Use after free
On Mon, Jan 23, 2017 at 4:18 PM, Alexander Keller wrote: > Now now. No need to hold contempt on the mailing lists. Suckless isn't > some Linux list where we go off on people who want to help but didn't > read the entire codebase, wiki, and archive before posting. Cool. I'll have to remember this one. "now now, do not hold contempt, we're not one of those places" is a downright mindfuck. cheers! mar77i
Re: [dev][announce] lr: tiny log rotater
On Sun, 22 Jan 2017 18:13:40 -0500 Wolfgang Corcoran-Mathe wrote: Hey Wolfgang, > I’ve seen your opinions on this point a few times and understand your > position, although I don’t agree with it. Briefly, and without wanting > to start a flamewar: whatever convenience or legal protection licenses > provide, they are philosophically very different from a dedication to > the public domain. The public domain is too great an idea to give up > out of fear of country %s’s interpretation of it. BSD/MIT/ISC may be > “100% legally waterproof”, but they are totally inferior in spirit to > the old hacker license: “share and enjoy”. what is not "share and enjoy" about 0BSD? What more do you want? -- Laslo Hunhold
Re: [dev] Re: st: Use after free
On Mon, Jan 23, 2017, at 10:18, Alexander Keller wrote: > Now now. No need to hold contempt on the mailing lists. Suckless isn't > some Linux list where we go off on people who want to help but didn't > read the entire codebase, wiki, and archive before posting. Uh, yea it is. Where have you been? Many times I have seen on this list a poster who reports a bug without a patch scolded, berated, and generally treated like shit for daring to do so. I would think that a suckless developer who takes pride in his/her programming would *want* to know about any bugs regardless of whether a patch is provided, but it seems like some people on this list take pride in their nastiness. Personally I think it is despicable and anti-progress to discourage bug reports. By the way, I'd like to point out that I've noticed that Laslo/FRIGN (if you are the same person) has become much less grouchy and much more nice in the recent past. Thank you Laslo/FRIGN!
Re: [dev] Re: st: Use after free
On Mon, Jan 23, 2017 at 5:48 PM, Greg Reagle wrote: > Personally I think it is despicable and anti-progress to discourage bug > reports. I specifically asked to make sure it's a bug in st, which I didn't write. And I no longer have all day to solve any problem that crosses my path for anyone. Vague hints, even if they would turn out to reveal an actual issue are counter productive because they mean potentially many tiring debugging sessions for helpers. And, so I would like to overstate, help send a project's contributors on ghost hunts, effectively barring them from doing actual work. Let me not waste more of your free time, though. https://xkcd.com/583/ cheers! mar77i
Re: [dev] Re: st: Use after free
nobody ever has time for me, *cry*
Re: [dev][announce] lr: tiny log rotater
i can't enjoy it cause you keep on talking about licenses. On 1/23/17, Laslo Hunhold wrote: > On Sun, 22 Jan 2017 18:13:40 -0500 > Wolfgang Corcoran-Mathe wrote: > > Hey Wolfgang, > >> I’ve seen your opinions on this point a few times and understand your >> position, although I don’t agree with it. Briefly, and without wanting >> to start a flamewar: whatever convenience or legal protection licenses >> provide, they are philosophically very different from a dedication to >> the public domain. The public domain is too great an idea to give up >> out of fear of country %s’s interpretation of it. BSD/MIT/ISC may be >> “100% legally waterproof”, but they are totally inferior in spirit to >> the old hacker license: “share and enjoy”. > > what is not "share and enjoy" about 0BSD? What more do you want? > > -- > Laslo Hunhold > >
Re: [dev] Internet privacy/decentralisation projects
what is lambda?
Re: [dev] Internet privacy/decentralisation projects
On Mon, Jan 23, 2017 at 04:18:40AM +, Caleb Malchik wrote: > I was wondering what the suckless community thinks about various > projects aimed at Internet decentralisation and privacy Decentralization results in metadata leakage and therefore reduces privacy. By splitting the system into components that communicate over the network you expose internal communications. Privacy then may come from separation of control over various parts of the system that is only possible in decentralized systems, but it is a separate task. > My personal reason for asking is that I have the opportunity this > spring to get paid to contribute to an open source project of my > choosing, which has a "democracy-enhancing" (or preserving) effect. Of > course all Suckless projects are democracy-enhancing in a way, but for > this I'm looking at projects with more of a focus on societal impact > and the potential for mass adoption. Projects I've looked at include > IPFS [1], cjdns [2], and Tox [3]. Look at https://matrix.org/. It has a chance to suck less than XMPP and eventually replace it. Matrix is HTTP under the hood, which is still better than infinite-XML-document-over-TCP. Unlike IRC you get working federation instead of permanent netsplits, VOIP and builtin E2E encryption. Desktop client that is not just a packaged webapp is needed.
Re: [dev] Internet privacy/decentralisation projects
On Mon, Jan 23, 2017 at 02:12:23PM +0100, Sylvain BERTRAND wrote: > non-massively decentralized protocols You probably want to use the word "federated". Also I don't understand what does "lambda users" mean.
