RE: Build error with 51degrees library

2017-07-19 Thread Ben Shillito 
Hi Willy,

Thanks for the additional change.

And that's quite alright, if there is a problem with our API that is affecting 
users live builds like this, then it will always be our top priority.

Regards,

Ben Shillito
Developer
O: +44 1183 287152
E: b...@51degrees.com
T: @51Degrees

-Original Message-
From: Willy Tarreau [mailto:w...@1wt.eu]
Sent: 19 July 2017 19:56
To: Ben Shillito <b...@51degrees.com>
Cc: Florian Tham <fgt...@gmail.com>; James Rosewell <ja...@51degrees.com>; 
Thierry FOURNIER <tfourn...@arpalert.org>; haproxy@formilux.org
Subject: Re: Build error with 51degrees library

Hi Ben,

On Wed, Jul 19, 2017 at 05:49:44PM +, Ben Shillito wrote:
> Hi Willy and HaProxy Forum,
>
> I appreciate this has caused users problems which we overlooked when
> making these changes. Rest assured we are introducing fixed feature
> branches as part of procedure to prevent this from happening again.
>
> We have done the following to remedy the current issues:
> 1. branches v3.2.5 and v3.2.10 are now published as stable branches at 
> https://git.51degrees.com/device-detection.git. These are stable, feature 
> locked, branches and will only be updated with security fixes.
> 2. I have submitted to Willy patch files for 1.6, 1.7 and main dev branches. 
> These change the URL which is referenced in the instructions, and 1.7/dev now 
> reference the 3.2.10 stable branch.

Thank you. I'll fix the URL in your patches as there were some upper case 
characters causing "git clone" to fail, but the URL above works. And now with a 
version in the branch, I'm confident there should not be any similar issue 
anymore.

Thanks for having dealt with this issue quickly.

Willy
This email and any attachments are confidential and may also be privileged. If 
you are not the named recipient, please notify the sender immediately and do 
not disclose, use, store or copy the information contained herein. This is an 
email from 51Degrees.mobi Limited, 5 Charlotte Close, Reading. RG47BY. T: +44 
118 328 7152; E: i...@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.

Re: Build error with 51degrees library

2017-07-19 Thread Willy Tarreau 
Hi Ben,

On Wed, Jul 19, 2017 at 05:49:44PM +, Ben Shillito wrote:
> Hi Willy and HaProxy Forum,
> 
> I appreciate this has caused users problems which we overlooked when making
> these changes. Rest assured we are introducing fixed feature branches as part
> of procedure to prevent this from happening again.
> 
> We have done the following to remedy the current issues:
> 1. branches v3.2.5 and v3.2.10 are now published as stable branches at 
> https://git.51degrees.com/device-detection.git. These are stable, feature 
> locked, branches and will only be updated with security fixes.
> 2. I have submitted to Willy patch files for 1.6, 1.7 and main dev branches. 
> These change the URL which is referenced in the instructions, and 1.7/dev now 
> reference the 3.2.10 stable branch.

Thank you. I'll fix the URL in your patches as there were some upper case
characters causing "git clone" to fail, but the URL above works. And now
with a version in the branch, I'm confident there should not be any similar
issue anymore.

Thanks for having dealt with this issue quickly.

Willy

RE: Build error with 51degrees library

2017-07-19 Thread Ben Shillito 
Hi Willy and HaProxy Forum,

I appreciate this has caused users problems which we overlooked when making 
these changes. Rest assured we are introducing fixed feature branches as part 
of procedure to prevent this from happening again.

We have done the following to remedy the current issues:
1. branches v3.2.5 and v3.2.10 are now published as stable branches at 
https://git.51degrees.com/device-detection.git. These are stable, feature 
locked, branches and will only be updated with security fixes.
2. I have submitted to Willy patch files for 1.6, 1.7 and main dev branches. 
These change the URL which is referenced in the instructions, and 1.7/dev now 
reference the 3.2.10 stable branch.

Regards,

Ben Shillito
Developer
O: +44 1183 287152
E: b...@51degrees.com
T: @51Degrees

-Original Message-
From: Willy Tarreau [mailto:w...@1wt.eu]
Sent: 19 July 2017 10:59
To: Ben Shillito <b...@51degrees.com>
Cc: Florian Tham <fgt...@gmail.com>; James Rosewell <ja...@51degrees.com>; 
Thierry FOURNIER <tfourn...@arpalert.org>; haproxy@formilux.org
Subject: Re: Build error with 51degrees library

Hi Ben,

On Wed, Jul 19, 2017 at 09:33:28AM +, Ben Shillito wrote:
> Hi HaProxy Forum,
>
> In relation to the build error with 51Degrees library. The data files
> associated with Trie are very large and were destroying the
> performance of the Git repository. As we believe a very small
> percentage of users were actually using the files they are now being 
> distributed separately to GitHub.

Very small or not, the reality is that the documented build procedure for 
STABLE releases has been broken again without even a prior warning.

> See this blog post for full details.
>
> https://51degrees.com/blog/51degrees-github-repository-housekeeping-im
> portant-update

Hardly an acceptable explanation for anyone trying to upgrade their haproxy to 
benefit from the latest security fixes, I'm sorry. Also if it's just a matter 
of database size, you could imagine distributing the smallest version and 
providing a conversion utility to turn it into the most appropriate format in 
field.

> If you'd like to continue to use Trie please can you contact us via
> the web site at https://51degrees.com/contact-us. We can then advise you 
> further.

Then why not try to address the problem by placing the code somewhere online 
instead of asking every user to have to contact you ?

> There are no plans to alter the distribution of the Pattern algorithm
> as the files are substantially smaller and work well with Git. All
> HAProxy builds should continue to work with the Pattern option. Just
> like HAProxy the open source business model is at the core of what we do.

So in short what you're saying is that the Trie algorithm that used to be 
available in opensource and promoted in the documentation as the fastest one is 
no longer opensource, screwing all its users and forcing them to choose between 
falling back to the slower Pattern method or not updating haproxy and stay with 
securiy issues in production.

> The v3.2.5 branch has now been republished, this was missed when the
> repository was trimmed, so apologies for any backporting problems this
> has caused.

Thanks, so this will fix version 1.6 but not version 1.7 since last year you 
provided a patch to replace the API before 1.7.0 release. Can you please also 
publish the last branch needed to build 1.7 and provide an update for the doc 
to explain how to build it now ?

You have no idea of the pain you cause to everyone by constantly breaking 
stable versions, really! And this throws a discredit on haproxy as a stable 
product! Please use branches and stop referencing your development branch as 
the official one!

> Willy; we're unsure what you mean by "broke the stable series *AGAIN*"
> and "betrayed".

Very simple : you did this already one year ago in the middle of haproxy
1.6 when the public code API was suddenly replaced in an incompatible way, 
causing quite some pain by then already. Users pick a version, they deploy it, 
prepare their update processes and don't have to think about it anymore, 
trusting all of us to deliver timely updates that they can deploy quickly.
In your case, once in a while they discover that some code broke, they have to 
revisit their build process to adapt to a different branch, after waiting for 
some time for the previous code to be made available again, etc. This happened 
twice in haproxy's existence, and the two times it came from your software. 
It's not serious.

> Could you provide further information so we can see if there's a
> harmonious way forward if we've made an innocent mistake?

The proper way to deliver a library is to version it. While you can encourage 
your users to test the development branch at their own risk, any user should be 
able to rely on a stable branch which only provides fixes. Thus for

Re: Build error with 51degrees library

2017-07-19 Thread Willy Tarreau 
Hi Ben,

On Wed, Jul 19, 2017 at 09:33:28AM +, Ben Shillito wrote:
> Hi HaProxy Forum,
> 
> In relation to the build error with 51Degrees library. The data files
> associated with Trie are very large and were destroying the performance of
> the Git repository. As we believe a very small percentage of users were
> actually using the files they are now being distributed separately to GitHub.

Very small or not, the reality is that the documented build procedure
for STABLE releases has been broken again without even a prior warning.

> See this blog post for full details.
> 
> https://51degrees.com/blog/51degrees-github-repository-housekeeping-important-update

Hardly an acceptable explanation for anyone trying to upgrade their haproxy
to benefit from the latest security fixes, I'm sorry. Also if it's just a
matter of database size, you could imagine distributing the smallest version
and providing a conversion utility to turn it into the most appropriate format
in field.

> If you'd like to continue to use Trie please can you contact us via the web
> site at https://51degrees.com/contact-us. We can then advise you further.

Then why not try to address the problem by placing the code somewhere online
instead of asking every user to have to contact you ?

> There are no plans to alter the distribution of the Pattern algorithm as the
> files are substantially smaller and work well with Git. All HAProxy builds
> should continue to work with the Pattern option. Just like HAProxy the open
> source business model is at the core of what we do.

So in short what you're saying is that the Trie algorithm that used to be
available in opensource and promoted in the documentation as the fastest one
is no longer opensource, screwing all its users and forcing them to choose
between falling back to the slower Pattern method or not updating haproxy
and stay with securiy issues in production.

> The v3.2.5 branch has now been republished, this was missed when the
> repository was trimmed, so apologies for any backporting problems this has
> caused.

Thanks, so this will fix version 1.6 but not version 1.7 since last year you
provided a patch to replace the API before 1.7.0 release. Can you please
also publish the last branch needed to build 1.7 and provide an update
for the doc to explain how to build it now ?

You have no idea of the pain you cause to everyone by constantly breaking
stable versions, really! And this throws a discredit on haproxy as a stable
product! Please use branches and stop referencing your development branch
as the official one!

> Willy; we're unsure what you mean by "broke the stable series *AGAIN*" and
> "betrayed".

Very simple : you did this already one year ago in the middle of haproxy
1.6 when the public code API was suddenly replaced in an incompatible way,
causing quite some pain by then already. Users pick a version, they deploy
it, prepare their update processes and don't have to think about it anymore,
trusting all of us to deliver timely updates that they can deploy quickly.
In your case, once in a while they discover that some code broke, they have
to revisit their build process to adapt to a different branch, after waiting
for some time for the previous code to be made available again, etc. This
happened twice in haproxy's existence, and the two times it came from your
software. It's not serious.

> Could you provide further information so we can see if there's a
> harmonious way forward if we've made an innocent mistake?

The proper way to deliver a library is to version it. While you can encourage
your users to test the development branch at their own risk, any user should
be able to rely on a stable branch which only provides fixes. Thus for example
if "3.2" is your software branch corresponding to a stable API code, create
such a branch in your repository, document how to use this one for a given
program, try to plan for an end of life so that your users know whether
they're going to use it or not, and simply provide fixes there. You'll note
over time that it requires less work and allows you to break more in the
master branch since nobody relies on it for anything sensitive. Your software
will evolve faster and your users will be happy to be able to trust it.

Thanks,
Willy

RE: Build error with 51degrees library

2017-07-19 Thread Ben Shillito 
Hi HaProxy Forum,

In relation to the build error with 51Degrees library. The data files 
associated with Trie are very large and were destroying the performance of the 
Git repository. As we believe a very small percentage of users were actually 
using the files they are now being distributed separately to GitHub. See this 
blog post for full details.

https://51degrees.com/blog/51degrees-github-repository-housekeeping-important-update

If you'd like to continue to use Trie please can you contact us via the web 
site at https://51degrees.com/contact-us. We can then advise you further.

There are no plans to alter the distribution of the Pattern algorithm as the 
files are substantially smaller and work well with Git. All HAProxy builds 
should continue to work with the Pattern option. Just like HAProxy the open 
source business model is at the core of what we do.

The v3.2.5 branch has now been republished, this was missed when the repository 
was trimmed, so apologies for any backporting problems this has caused.

Willy; we’re unsure what you mean by “broke the stable series *AGAIN*” and 
“betrayed”. Could you provide further information so we can see if there’s a 
harmonious way forward if we’ve made an innocent mistake?

Thanks,

Ben

Ben Shillito
Developer
O: +44 1183 287152
E: b...@51degrees.com
T: @51Degrees
-Original Message-
From: Florian Tham [mailto:fgt...@gmail.com]
Sent: 19 July 2017 09:20
To: Willy Tarreau <w...@1wt.eu>
Cc: James Rosewell <ja...@51degrees.com>; Ben Shillito <b...@51degrees.com>; 
m...@51degrees.com; Thierry FOURNIER <tfourn...@arpalert.org>; 
haproxy@formilux.org
Subject: Re: Build error with 51degrees library

On Wed, Jul 19, 2017 at 9:27 AM, Willy Tarreau <w...@1wt.eu> wrote:
> I just found a fork of the github repo here which I think could
> possibly work, it even contains the v3.2.5 branch :
>
> https://github.com/aerendil/device-detection-nginx-fix
>
> It would be a good idea to clone it before it disappears.

Thank you, this works fine with haproxy-1.7 and buys me the time I need to look 
into device detection alternatives.

One would also need to hold on to the 51Degrees-LiteV3.2.trie data file.
Currently, 51degrees only provides .dat files for use with the pattern 
algorithm.

Best regards,

Florian
This email and any attachments are confidential and may also be privileged. If 
you are not the named recipient, please notify the sender immediately and do 
not disclose, use, store or copy the information contained herein. This is an 
email from 51Degrees.mobi Limited, 5 Charlotte Close, Reading. RG47BY. T: +44 
118 328 7152; E: i...@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.

Re: Build error with 51degrees library

2017-07-19 Thread Florian Tham 
On Wed, Jul 19, 2017 at 9:27 AM, Willy Tarreau  wrote:
> I just found a fork of the github repo here which I think could possibly
> work, it even contains the v3.2.5 branch :
>
> https://github.com/aerendil/device-detection-nginx-fix
>
> It would be a good idea to clone it before it disappears.

Thank you, this works fine with haproxy-1.7 and buys me the time I need
to look into device detection alternatives.

One would also need to hold on to the 51Degrees-LiteV3.2.trie data file.
Currently, 51degrees only provides .dat files for use with the pattern
algorithm.

Best regards,

Florian

Re: Build error with 51degrees library

2017-07-19 Thread Willy Tarreau 
On Wed, Jul 19, 2017 at 08:55:09AM +0200, Florian Tham wrote:
> Same problem here. It seems 51degrees close-sourced the trie
> algorithm, see 
> https://github.com/51Degrees/Device-Detection/blob/master/data/TRIE.txt:
> 
> "The 51Degrees 'trie' algorithm is not open source and is only made
> available through a proprietary license.".
> 
> The github repo history has been rewritten. There are now only 2
> commits in master, "Initial commit" dating from 2017-06-27.

P... Guys, you broke all the stable series *AGAIN* ? So let me check,
that also means that branch 3.2.5 documented as being necessary to build
1.6 was removed as well! Good! I prefer to imagine it's a mistake, but
anyway it is totally unprofessional and simply shows how much you care
about your users.

So in the end, haproxy 1.6 and 1.7 users who are relying on your lib
simply cannot upgrade to latest haproxy security fixes simply because
you unilateraly broke your library again, preventing them from building
an updated version!

> Building haproxy with the pattern algorithm still works. I wonder how long :(

I agree, we cannot trust such an external component at all with such a
track record, it's the second time it happens :-(

I just found a fork of the github repo here which I think could possibly
work, it even contains the v3.2.5 branch :

https://github.com/aerendil/device-detection-nginx-fix

It would be a good idea to clone it before it disappears.

Now if there is no sign of a quick fix for this situation which puts our
users at risk again, I think the only option will be to definitely remove
and blacklist this code from haproxy. It will still piss off all of its
users but they were already betrayed twice. However it will limit the
risk of making new victims.

I can't believe it

Willy

Re: Build error with 51degrees library

2017-07-19 Thread Florian Tham 
Same problem here. It seems 51degrees close-sourced the trie
algorithm, see 
https://github.com/51Degrees/Device-Detection/blob/master/data/TRIE.txt:

"The 51Degrees 'trie' algorithm is not open source and is only made
available through a proprietary license.".

The github repo history has been rewritten. There are now only 2
commits in master, "Initial commit" dating from 2017-06-27.

Building haproxy with the pattern algorithm still works. I wonder how long :(

Best regards,

Florian

Re: Build error with 51degrees library

2017-07-18 Thread Willy Tarreau 
On Tue, Jul 18, 2017 at 11:25:17PM +0200, Thierry FOURNIER wrote:
> Hi 51degrees guys & HAProxy list,
> 
> The haproxy build with 51degrees doesn't work.
> 
> Today, I tried to build new package of the latest stable version of
> HAProxy with my usual build command line, and an error raises. I try
> to compile the version 1.7.8 with this buils command line:
> 
>make CC=gcc TARGET=linux2628 USE_OPENSSL=1 USE_ZLIB=1 \
> USE_51DEGREES=1 51DEGREES_SRC=/tmp/Device-Detection/src/trie \
> 51DEGREES_INC=/tmp/Device-Detection/src/trie
> 
> The error is:
> 
>In file included from include/proto/proxy.h:29:0,
> from include/common/cfgparse.h:30,
> from src/haproxy.c:65:
>include/types/global.h:205:3: error: unknown type name 
> 'fiftyoneDegreesDataSet'
>make: *** [src/haproxy.o] Error 1
> 
> Can you check this ?

That's really strange, there was no change to 51d since 1.7.0, the only
commit was a doc update. Ben, could you please check if the github repo
didn't get a random API change without notification again like happened
last year in the middle of the 1.6 maintenance cycle ? If this requires
another update to the build procedure for stable releases, it will
become really painful for users...

Thanks,
Willy