Re: [GTALUG] video: The Dark Side of Open Source

[Evan Leibovitch via talk]

For what it's worth, the author of Thorium has made a reply which includes
a public apology and explanation:
https://alex313031.blogspot.com/2024/01/the-good-bad-and-ugly.html

I'm using his Firefox clone, the Mercury browser, and am happy with it.

- Evan

On Sun, Jan 7, 2024 at 6:47 PM D. Hugh Redelmeier via talk 
wrote:

> This video was recommended to me:
>
> Chris Titus Tech: The Dark Side of Open Source
> 
>
> Apparently Titus recommended Thorium, a mod of the Chromium browser.
> Now he feel burned because of a couple of non-mainstream Easter eggs.
>
> It seems mostly overwrought silliness to me.  But you can decide for
> yourself.
>
> The story isn't really about open source.  It is about trust and
> verification of software.  The bigger / more complex the object, the
> harder it is to trust.  A very very deep problem.
>
> How does open source relate to this?
>
> - (we think that) it is harder to sue an open source project than a
>   commercial software producer.
>
> - the infrastructure for open source (GitHub, for example) lets you build
>   and distribute new mixes things without a lot of effort.  So one oddball
>   can create and distribute a useful system
>
> - a larger team, needed in the past, would probably have an average
>   weirdness that is less than some random single creator.
>
> - open source software can be examined.  This is likely how the
>   "problems" with Thorium were discovered.
>
> I don't even know why Thorium was interesting.  It is a hacked version
> of Chromium.  Are the hacks interesting?  Apparently its main
> advantage is that it is compiled with higher optimization.  If they
> judged it worth doing, the Chrome project could do this itself.  As
> could the distros that package Chrome or Chromium.
>
> The only browsers that I (reluctantly) trust enough to use are
> FireFox, Chrome, Chromium.  Links or Lynx when desperate.
> Browser-of-the-month isn't a club for me since the browser is my main
> exposure to security threats.
>
> There is a very interesting question here: how can software earn trust?
> Any software, including open source software.
>
> A recent enthusiasm has been to implement procedures to prevent "supply
> chain attacks". Things like "software bills of materials" (provenance of
> components).  The (deserved) whipping boy has been NPM, the repo for open
> source JavaScript.  Equally scary things exist for Python, Perl, and Rust,
> for example.
>
> The Thorium browser problem could be classified as a supply chain problem.
>
> Reliable software is hard.  We have to work on it any way that is
> effective.
>
> PS: I'm looking at Titus' video recommending Thorium in the first place.
> 
> - He gushes about how much faster it is than Chromium and Chrome.
> - He suggests that the author has added accelerators not in chromium.
> - A few nice little things.
> - He mentions "multi-threading improvements" which seems unlikely.
> ---
> Post to this mailing list talk@gtalug.org
> Unsubscribe from this mailing list
> https://gtalug.org/mailman/listinfo/talk
>


-- 
Evan Leibovitch, Toronto Canada
@evanleibovitch / @el56
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[D. Hugh Redelmeier via talk]

| From: Alvin Starr via talk 

| SPF should insure that only your email servers can be used to send mail from
| your domain.

Related:

My Postfix server validates HELO / EHLO records.  These records declare 
the name of the server contacting my server.  Postfix makes sure that the 
declared name resolves to the IP address from which the server was 
contacted.  At least that's what I think it does.

From /etc/postfix/main.cf:

smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname

This catches a lot of SPAM.  But it also blocks a few badly configured 
servers that I want to get messages from.  The ones that I've noticed:

- some parts of Sunnybrook hospital

- rakuten

I have been unable to contact the technical people at these sites to get 
them to fix their problem.


| There was once a guy who insisted on running an open relay and believed that
| anybody blocking open relays were infringing on his rights.
| He was VERY loud about his convictions that open relays were not the problem,
| spammers were.

John Gilmore?  He's generally soft-spoken but has strong convictions.


Hugh Daniel?  Sadly gone.  But he definitely was loud.


BTW, both are/were strong forces for good.
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] WAS : lazy jail server admin forced to act - NOW: how does email and anti email forgery work on the Internet

[ac via talk]

On Mon, 8 Jan 2024 02:40:39 -0800
Ron / BCLUG via talk  wrote:
> ac via talk wrote on 2024-01-08 02:22:
> 
> > the ~ means if it is not from your servers it is also okay.
> > 
> > the - means ONLY from your severs.  
> 
> The link I posted earlier (linuxbabe.com) had an interesting take on
> "~" vs "-" and why the former is preferable:
> 
I do not know this website, sounds like a general self help or newbie 
support type site? 

for real/working technical and real/working production servers and
settings the best is to look/read/study the RFC link in my previous
reply.

RFC generally guides us on how things work (or should work) 

> If a multi-host (postfix) site receives your mail (like Google?) and
> it gets relayed between their servers (perhaps main one is down for 
> maintenance), and the final server gets the mail from the backup,
> sees "-", it may reject it.
> 
uhm, no. this is just not how it works. If you include +mx in your SPF
any changes to your zone or MX PRI will automagically be included in
+mx as mx is also multiple/all records as defined in your zone (or even
properly delegated zone))

IF your +mx is not updated/broken in your zone, or an undefined
server/IP has taken over your actual mx without any updates in your
zone, your email will be broken anyway and any.example.com will be able
to send and receive email as your domain. you will have larger problems
than me bouncing or -all realy (and who bounces on -all anyway?) you
should SCORE -all as part of your SCORING.

and, if you are trying to say that GOOGLE.com sends or realys your
email - then you need to include GOOGLE.com in your SPF as they are
YOUR SENDER?

there is just nothing else to say or other correct technical opinions
to have because --> it is what it is :)

> Not sure if this is correct, but did cause pause for thought and am 
> considering changing "-" to "~" on my domains.
> 

hmm, and these things are technical science and is not really about
"feelings" so no, as this imnsho is not the best and you should not
even be thinking about how you feel.

You should be thinking : "What do I want" and "What do I want to do"
and the next thought should be : "How do I tell others that this is
what I want to do" and not wonder about how you feel about it :)

I tried speaking to someone the other day who "felt" that the earth was
flat. It is just very difficult to negotiate or even chat with someone
who has strong "feelings" about science and similar stuff...

But if you "feel" that you have to change your dns records, go for it :)

If you change it to "~" then anyone on the planet can send email as
originating from your email address.

So how it works in practise for me:

If I receive email and SOFT FAIL (not in your SPF) I score it a +1 to
+3 somewhere (depending on how strict/hard that specific email server
of mine is)

If I receive email and HARD FAIL (not in your SPF) I SCORE it a +4 to
+8 somewhere (depending on how strict/hard that specific email server
of mine is)

So, it is all about scoring - if you reach a high enough score I never
receive your email and it is either hard bounce or, if small, /dev/nul

so, having an actual working email system today is all about scores and
scoring :)

Anyway, as it relates to SPF (as per the current RFC)

it is about what YOU want to happen.

the "S" in SPF is "SENDER" (not RECEIVER)

What do YOU want to tell recipients of YOUR email relay?

do YOU want to tell them "~" accept email when sent from my domain from
anyone on the planet?

OR

do YOU want to tell them "-" accept ONLY email from MY servers

Of course, if you relay through GOOGLE - you DO NOT have to worry,
google.com uses google.com all throughout their relay (which is
actually one of the very few cool things remaining about google)

BUT, If you relay through example.com and example.com then relays
through example1.com who also relays through example2.com whom relays
through any random email server out there - then you WILL HAVE to add
"~" to allow example2.com to deliver your important mail communications
wherever. 

hth

Andre
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[Ron / BCLUG via talk]

ac via talk wrote on 2024-01-08 02:22:


the ~ means if it is not from your servers it is also okay.

the - means ONLY from your severs.


The link I posted earlier (linuxbabe.com) had an interesting take on "~" 
vs "-" and why the former is preferable:


If a multi-host (postfix) site receives your mail (like Google?) and it 
gets relayed between their servers (perhaps main one is down for 
maintenance), and the final server gets the mail from the backup, sees 
"-", it may reject it.


Not sure if this is correct, but did cause pause for thought and am 
considering changing "-" to "~" on my domains.





Your SPF "should" maybe say:

mimosa.com. IN  TXT "v=spf1 +a +mx
+ip4:206.248.139.113 +ip4:98.158.128.23"


If I recall correctly, it's best to put IP addresses earlier in the list 
to save DNS look-ups, saving a tiny bit of time.



> (Your post did not include the "+" BEFORE the mx in the entry...)

True, and I agree it's best to include them to be as specific as 
possible on the author's intentions, however the "+" is the default, 
hence implied.


But, I agree, use them anyway.


rb

---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk