Criticism of woof-CE and of the people involved in it.

What features/apps/bugfixes needed in a future Puppy
Message
Author
User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

Criticism of woof-CE and of the people involved in it.

#1 Post by mavrothal »

In another thread, given the opportunity some "conserns" where expressed, so I thought to leave that thread alone and take it up here.

So to role the discussion here is some response to some rcrsn51 comments (not necessarily directed at him).
rcrsn51 wrote:1. Many people complained about the icanhazip issue. The standard reply was "It's not a security problem. Don't worry about it."
The standard reply by many other people was the that for some time (years?) the default was not a security problem. And is not!
BTW did you ever notice what your browser is doing the first time you run it?
rcrsn51 wrote:2. Eventually, the "compromise" was to add a checkbox, but set it ON by default. This struck me as petty and disrespectful of people's concerns.
Why is a compromise to offer the option And why only the people worrying must be respected, specially when it only takes a click to get their false sense of security.
rcrsn51 wrote:3. Then suddenly, Iguleder added a line to woof that turned the checkbox OFF, and not a SINGLE person commented. Apparently, all the community members who had previously resisted any change had nothing to say about the final solution.
Two points, there is no "resistance" in anything, some have different views on the "functionality vs risk" equation. Second "no-one really cares enough" is the most likely reason for the lack of discussion on such a trivial issue (yes pinging a site like icanhasip is trivial when it comes to security).
The option is still there and it still takes a click to change it to your liking. If this discussion makes people "rediscover" it and complain the other way around may as well revert to "on".



(And here is the important part, at least for me)
rcrsn51 wrote:Personally, this raises some questions about the decision-making process in woof and its transparency. But as I was once told, "Anything in woof is fair game."
How can you question the transparency when everything is up in s public repo, including the discussions.
But quite frankly very few people, besides the usual 3-4 suspects, offered any input or even watching what is happening. Are you actually following any of the discussions and what is happening in Github?

Now regarding "decision making process", woof is a puppy building infrastructure. Decisions are related on how to make this easier/better (see a relevant recent issue) though there are even "heated" debates on other issues.
However, the actual puppies and their content is the work of the puppy builder. AAMOF less than 2% of the code in a puppy comes from woof.
Regarding possible other non-technical decisions, see above about "community participation"...


So,
Although puppy/woof/linux/FOSS is mostly a doocracy and the standard response is "put your code were your mouth is", I think that no one was ever harmed by constructive criticism and suggestions, and if not, everyone enjoys once in a while a flame war :twisted:
Feel free to take this thread anywhere it goes :P
Either way lets have it :D


Latter: Edited grammatically (though I'm sure has few more issues :D )
Last edited by mavrothal on Mon 23 Nov 2015, 13:24, edited 1 time in total.
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

Re: Criticism of woof-CE and of the people involved in it.

#2 Post by bark_bark_bark »

mavrothal wrote:So,
Although puppy/woof/linux/FOSS is mostly a doocracy and the standard response is "put your code were your mouth is", I think that no one was ever harmed by constructive criticism and suggestions, and if not, everyone enjoys once in a while a flame war :twisted:
Feel free to take this thread anywhere it goes :P
Either way lets have it :D
Sadly, many people in this world think that they are above criticism.
....

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#3 Post by Flash »

I'll leave this thread for now, but warn that it could disappear or be edited. Bark_bark_bark's comment didn't advance the discussion much. :(

User avatar
cimarron
Posts: 292
Joined: Fri 31 May 2013, 01:57

#4 Post by cimarron »

If I'm understanding the woof function correctly, it's a tool to help people build puppies. But it doesn't control the content of any pup that someone wants to build. The puppy builder can make any changes to the code he/she wishes before releasing it. If that's true, I don't see how those maintaining woof are doing anything but providing a helpful service to others.

I also know that any puppy can be remastered pretty easily. So if I don't like what the builder put into a puppy, I the user can permanently change it myself (as I have). And most of the code is easily accessible and changeable. The parts I couldn't figure out myself, I found help from more advanced coders here to make the changes I wanted.

Because of this, my experience is that Puppy is the most user-friendly and user-submissive OS I've encountered. Thank you to BK and all the maintainers who have stepped up to keep this project going and improving!

jlst

#5 Post by jlst »

I don't like dogs, so basically that's my main issue with Puppy.

Puppy allows you total control, so I think: each to their own.

If you don't like the way it's done, modify it, hmm that's what I do, there is only one drawback: it takes too much time. But there is no knowledge that is not power (source)... With this same knowledge, mastering Arch Linux has been very easy.

But in order to make Puppy very popular, the LXPup derivative has taken the most user-friendly approach, of course, OpenBox+lxpanelx can be replaced with JWM and most bloat can be neutralized. ROX is borderline unusable, especially when you do everything with the keyboard. I mean, democracy takes into account what most people have to say. So basically a poll would a very a good idea.

I have my own Puppyy Derivative, I use only grub4dos menus for cds, hds, usbs, so basically a poll would be a good idea to know what exactly the users want...

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#6 Post by musher0 »

@all, if it can be useful:
I'm sure there are others, but there's a good spell checker online at
http://spellcheckplus.com/. Also available for French and Spanish.
It's not GPL, but it's free for short texts.

On the subject at hand, I'll say that I might not be in agreement with
some of the "editorial choices" in woof-ce, but as some may have noticed,
lately, I've been keeping my comments to myself. I respect the hours of
work the main woof developers have invested in the project, even if I am
not in total agreement with each and every one of their individual choices.

Let's keep in mind Librepup, a wonderful example of what the process can
achieve. As well, this process yielded extremely good results in the past
(upupRaring, tahrPup), and I'm sure there will be others in the future.

That said, Puppy is a community, not a company run from the top down.
Typically, "directives" or "suggestions" (for lack of better words) in a
community go the other way, from the bottom up.

While it is desirable to have a central development hub for Puppy, such as
woof-ce, because Puppy is a community, development of Puppy will
continue outside this hub. Also, criticism (hopefully constructive) coming
from outside this hub will continue to be voiced. Although some feathers
may be ruffled occasionally, I think that this bottom-up process is on the
whole healthy.

My 2¢. BFN.

musher0
Last edited by musher0 on Wed 25 Nov 2015, 15:50, edited 3 times in total.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

anikin
Posts: 994
Joined: Thu 10 May 2012, 06:16

#7 Post by anikin »

A quick question regarding Puppy pinging Google. In that thread, iguleder hinted, that was changed. Can you guys please, post a link and a brief description? One more, does Puppy's wget ping sourceforge or any other destination, if it does, why's that needed?

User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

#8 Post by mavrothal »

Puppy needs to know that has an internet connection to perform different functions. ie access help pages, look for video drivers etc. So it pings a site that has a very high "up" rate to verify that is connected and inform the user to connect if it is not.
Google and sourceforge were used earlier and now replaced by duckduckgo.

https://github.com/puppylinux-woof-CE/w ... 962c421c5a
and
https://github.com/puppylinux-woof-CE/w ... 8aadebf1ac
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==

User avatar
bigpup
Posts: 13886
Joined: Sun 11 Oct 2009, 18:15
Location: S.C. USA

#9 Post by bigpup »

Someone said:
"If two people agree 100% of the time, that means one of them is not needed"!

Disagreement is always good in the development of something.
However, at some point a final decision must be made.
Hopefully it will be agreed to by most involved.

Good example:
Cell phone charging.
Remember the 100 plus different charging connections there were for cell phones? People finally decided this was ridiculous.
Now we have one universal mini USB connection used by all.

Now, what do I do with all these different cell phone chargers :?: :roll:
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected :shock:
YaPI(any iso installer)

anikin
Posts: 994
Joined: Thu 10 May 2012, 06:16

#10 Post by anikin »

In my noobish view, the pings can be safely disabled. Puppy's core functionality won't be affected. Especially now, that the bone of contention is off. I recall Micko's answer in that old ipinfo thread, something like "they are on the chopping board" ... escaped the knife, though.

User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

#11 Post by mavrothal »

The nice thing about woof is that everyone can build a puppy the way (s)he likes it, and this forum is hospitable enough to everyone that has something to offer. I'm sure that some puppy builder will trade whatever functionality these pings and searches offer for a "discrete" puppy.
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==

anikin
Posts: 994
Joined: Thu 10 May 2012, 06:16

#12 Post by anikin »

Can we stick to the point at hand? If internet is up, Puppy will have a connection. If internet is down Puppy will not have a connection. Pings are irrelevant and not needed in this situation. I think (correct me if I'm wrong), Puppy can run those scripts linked in your post without any pings, Disabling icanhazip, while leaving the pings on makes absolutely no sense. Icanhazip is just a small part of malicious functionality which is spread across all those *pinging* scripts. You either remove it all, or you don't.

dancytron
Posts: 1519
Joined: Wed 18 Jul 2012, 19:20

#13 Post by dancytron »

Well, sticking to the point, what is the actual security risk from the present setup i.e. pinging duckduckgo?

Not some imagined risk. Something actually bad that can, even remotely, actually happen.

User avatar
Keef
Posts: 987
Joined: Thu 20 Dec 2007, 22:12
Location: Staffordshire

#14 Post by Keef »

The Evil Emperor Ping will teleport down from Cyberspace and stare menacingly at a kitten. And the government will deny it ever happened. B@st*rds.

anikin
Posts: 994
Joined: Thu 10 May 2012, 06:16

#15 Post by anikin »

Pinging Google, icanhazip, DuckDuck per se is not a security risk. I'm talking about malicious functionality: Puppy maintainers are pinging sites of their choice from my computer without my consent and knowledge. This *feature* makes Puppy absolutely not usable with Tor Browser. Those footprints (your IP, time/date in server logs of above mentioned sites) are used for triangulation - literally, like in trigonometry to find out your location.

User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

#16 Post by mavrothal »

Regarding identification, get your most secure setup, go to https://panopticlick.eff.org/ see if you are "trackable" and if you can be "fingerprinted". Tor or otherwise. (check also http://www.browserleaks.com/canvas and http://fingerprint.pet-portal.eu/#)
Regarding Tor being compromised by system pings, please anyone provide any evidence indicating that a system ping to a site can compromise per se Tor identity. Even if you visit the same site.
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#17 Post by jamesbond »

anikin wrote:Can we stick to the point at hand? If internet is up, Puppy will have a connection. If internet is down Puppy will not have a connection.
"Internet is up" (your own words) has a vague meaning. Let me put a definition to make the rest of the post more meaningful.

For me, "internet is up" means "I am connected to the internet", that "I am able to connect and converse with servers available on the Internet, both by their names, and by their IP addresses".

An example of what I can do when the "Internet is up" is command my browser to connect to duckduckgo.com to search for things. Another example is I can use IRC client to connect to many of IRC servers to real-time chat. It means I can stream video from youtube.com.

If you don't like this definition, you can define yourself; but for the sake of this post, this is what I will use.

Now, definition done, how do you know that "internet is up"?
Just because "eth0 is up" or "wlan0 is up" (which you can check using ifconfig), does not mean "internet is up". An IP address may not be assigned.

Just because eth0 or wlan0 has an IP address (which you can check using ifconfig), does not mean that "internet is up". That IP address may be bogus or connect only to the local network (not the Internet), in which case you need a gateway.

Just because you have a default gateway assigned (which you can check using "route" command), does not mean that the gateway gives you a connect to the Internet (it may be a default gateway to another local network; or worse the gateway may be bogus as well). And even if the gateway is up and worklng and can route you to the Internet, you may not be able to access servers by name if you don't have a DNS server assigned for you.

Just because you have a DNS entry in /etc/resolv.conf, it does not mean "internet is up" (that name server may be bogus, or not responding).

So how to really really confirm that "Internet is up"? Surprise surprise, the only way to do that is to try to __connect to a server on the Internet__! Even this is not completely foolproof for many other reasons I don't really care to write here; but probabilities are, if you can connect to a well-known and well-maintained server on the Internet, you can connect to the others too; which is our definition of "Internet is up".
Pings are irrelevant and not needed in this situation.
Indeed, pings are not reliable. Many server admins wisely (or unwisely, depending on whose belief you follow), disable pings to their servers so as far as pings are concerned, they don't exist.

The most reliable way to measure "Internet is up" to simulate the activity that you want to do when the "Internet is up". For most people, this is web browsing, so the best way to test is to simulate web browsing - hence, "wget distro.ibiblio.org" or "wget duckduckgo.com" or anything else. If wget works, "Internet is indeed up", if wget fails, chances are, there is something wrong in the plumbing somewhere.

=====

Now, you can say that all these test for testing whether "Internet is up" are unnecessary; and is not worth the "risk". I'm fine with your opinion. But you're not the only one with opinion, there are others who would prefer their Puppies to able to connect to the Internet on the get-go; and be alerted when not - for them, the convenience is worth the risk. A decision has to be made, and whatever is chosen, some of us won't be happy about it. You can't satisfy everyone.
anikin wrote:Those footprints (your IP, time/date in server logs of above mentioned sites) are used for triangulation - literally, like in trigonometry to find out your location.
This is interesting. Can you provide a working example? (with numbers, IP address, etc)? Not necessarily your own example, but if you can point me to a document or article that explains how this is done, it would be useful.
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

#18 Post by mavrothal »

jamesbond wrote:Indeed, pings are not reliable. Many server admins wisely (or unwisely, depending on whose belief you follow), disable pings to their servers so as far as pings are concerned, they don't exist.
But if you ping a server known to respond to pings, it is a good (and less "revealing") method to determine if "internet is up". No?

Other than that, THANKS for the extensive explanations. :D
Hopefully will have some effect.

BTW would you care to explain possible risks from ping'ing duckduckgo or google or any other established server?
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==

anikin
Posts: 994
Joined: Thu 10 May 2012, 06:16

#19 Post by anikin »

jamesbond,

I don't think my definition of "internet is up" is any different from yours as it is derived from reading arch/debian/ubuntu wiki pages and some other online material. I wanted to get my point across with as fewer words as possible. I'm absolutely not opposed to pinging, or whatever is needed to get the job done, provided, *I myself* will be the executioner of pinging! I'm opposed to you guys putting pinging scripts in and controlling my computer.

Regarding triangulation, I read about it online, but haven't kept any links. I don't think practical examples are available, though, as the core of it is statistical analyses, which is done in three letter organizations.

User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

#20 Post by mavrothal »

anikin wrote:I'm absolutely not opposed to pinging, or whatever is needed to get the job done, provided, *I myself* will be the executioner of pinging!
Are you actually saying that ping'ing duckduckgo, google etc is not harmful after all? Because if it is harmful why wouldn't you oppose it regardless of who is initiating it?
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==

Post Reply