[HN Gopher] Putty maintainer on his attitude towards security an...
___________________________________________________________________
Putty maintainer on his attitude towards security and open source
Author : AndrewDucker
Score : 353 points
Date : 2021-12-12 15:18 UTC (7 hours ago)
(HTM) web link (andrewducker.dreamwidth.org)
(TXT) w3m dump (andrewducker.dreamwidth.org)
| varajelle wrote:
| I've been paid to (help) maintain an open source project by a
| company that also offer services and support around that project.
| When someone report a bug on GitHub, then the bug is triaged and
| prioritized for both paying customer and open source users. But
| sometimes open source users would just ask questions in the
| GitHub bug tracker. Then I'd just close the issue and provide a
| link to the official support channels (sometimes also answering
| the question if that's easy enough, but not if I have to ask more
| info or if I have to search for the answer). Same when open
| source users would just ask questions by email.
| hinkley wrote:
| Someone I know met Simon one day and thought I'd like his
| autograph, since I was working in security at the time. I had in
| fact introduced that team to PuTTY, though this friend didn't
| know that.
|
| So I own a postcard that says words to the effect, "nobody has
| ever asked me for an autograph before". It is framed.
| wiz21c wrote:
| I genuinely agree with his vision and especially the reason why I
| can go to sleep sanely.
| ben_w wrote:
| Simon's a lovely guy. Met him a few times, he was often around in
| the local Geek pub[0] back before I moved out of Cambridge.
|
| [0] Same pub as frequented by the guy who proved Magic The
| Gathering is Turing complete, because Cambridge is _tiny_.
| denton-scratch wrote:
| It would be cool if someone would donate to him a domain.
| Downloading PuTTY involves relying on greenend.org.uk (which
| isn't obviously connected with PuTTY). You can check your
| download using the hashes provided on the site; but if the
| download has been messed with, then the hash is untrustworthy
| too.
|
| https://noncombatant.org/2014/03/03/downloading-software-saf...
| GoodbyeMrChips wrote:
| Would the lazy bastards who downvoted parent instead do
| something useful and post a sensible rely? (Rather then keep
| turning this place into another Redit).
|
| Link and text from the Putty FAQ below.
|
| https://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#...
|
| A.9.2 Would you like me to register you a nicer domain name?
|
| No, thank you. Even if you can find one (most of them seem to
| have been registered already, by people who didn't ask whether
| we actually wanted it before they applied), we're happy with
| the PuTTY web site being exactly where it is. It's not hard to
| find (just type 'putty' into google.com and we're the first
| link returned), and we don't believe the administrative hassle
| of moving the site would be worth the benefit.
|
| In addition, if we did want a custom domain name, we would want
| to run it ourselves, so we knew for certain that it would
| continue to point where we wanted it, and wouldn't suddenly
| change or do strange things. Having it registered for us by a
| third party who we don't even know is not the best way to
| achieve this.
| lstodd wrote:
| Hah, I once ran a PuTTY download mirror for the clients of an
| ISP I then worked at.
|
| It was like 20 years ago. Even then it was obvious that they
| don't want any fancy domains, just that the work is done and
| putty.exe delivered where it's needed.
| laumars wrote:
| I once used PuTTY as the base for an internal SSH tool. We needed
| to provide data entry teams with access to a green screen but
| didn't want to expose any more servers than what they were
| authorised to use and a simple interface because a lot of the
| data entry guys were technologically illiterate.
|
| After spending hours looking for solutions that were purpose
| built for this kind of thing I gave up took PuTTYs source and
| made some tweaks to the UI.
|
| The source was so easy to work with and I was so grateful that
| the license allowed me to do this.
|
| The custom client only ran for a couple of years because the web
| replaced green screens. And being a *nix guy I don't get much
| need for PuTTY in my day to day. But I'll always be grateful for
| PuTTY for making that particular job possible (and secure).
| yjftsjthsd-h wrote:
| > And being a _nix guy I don't get much need for PuTTY in my
| day to day.
|
| It actually works on unix, which is usually uninteresting but I
| used it once when I needed a serial console client and wanted a
| friendly GUI. So it _can* be useful:)
| vbezhenar wrote:
| For me putty is still preferred way to ssh with Windows.
| Nowadays windows is shipping openssh.exe, so I can run it from
| cmd and it kinda works for quick simple actions, but clipboard
| works weirdly, basically I have to use right-click/paste to
| reliably paste data, shift+insert works in some apps and does
| not work in others. Putty just works like it worked 10 years
| ago, it's good old reliable tool.
| dgfitz wrote:
| Have you ever tried mobaxterm? I was a putty person as well
| until I was put on to moba.
| Datagenerator wrote:
| This software limits the user with a maximum of allowed
| sessions.
| memetomancer wrote:
| The _demo_ limits the user with a maximum of allowed
| sessions. The unrestricted software has a modest
| licensing fee. Entirely reasonable considering the target
| audience.
| codetrotter wrote:
| That's fine but why not just stick with open source PuTTY
| instead of switching to some commercial proprietary
| software.
| petee wrote:
| Mobaxterm comes with a few extra goodies, like having a
| local xserver to run remote programs locally on windows,
| and it works out of the box. It also supports VNC, mosh,
| and others, so its a handy all in one. I purchased once
| to support, and i flip between putty amd moba for no
| reason.
| memetomancer wrote:
| I really wouldn't know... wasn't advocating anything -
| just clarifying the deal with that software.
| dgfitz wrote:
| Oh I didn't know that. I don't use that feature. Fair
| point though.
| pelorat wrote:
| I moved off PuTTy to WSL plus the new terminal. It's just
| easier because you have all the things available like scp
| etc. That said PuTTy (or rather its derivate Kitty) served me
| well for years. But it's just so much easier to do key
| management in Linux via WSL.
| doubled112 wrote:
| Anybody have a solution to get hostname completion in
| Powershell?
|
| ssh [letter][tab] gets me a list with my Zsh config. I looked
| briefly one time and couldn't find what I was looking for.
|
| I have a fairly large SSH config file, and needing to open it
| to copy and paste hostnames from the file is the main reason
| I just use WSL.
| majkinetor wrote:
| Whats wrong with using $Env:ComputerName ?
| asimops wrote:
| I don't have a solution but if you want to invest the time,
| you should have a look at https://docs.microsoft.com/en-
| us/powershell/module/microsoft...
| tssva wrote:
| https://gist.github.com/backerman/2c91d31d7a805460f93fe10bd
| f...
| wruza wrote:
| I'm using WinSSHTerm instead (it joins putty, pageant, file
| transfer and multiple configs together into a very nice ui,
| and its terminal works as expected). It is like an IDE of
| putty-related tools. Putty may be a default ssh window to the
| unix world, but it's ui never felt good to me.
|
| Some screenshots to get the idea of its ui:
| https://www.google.com/search?q=winsshterm&tbm=isch
| kbenson wrote:
| The new windows terminal allows you to change how copy and
| paste work.
|
| I recently switched from about 20 years of Putty use (some
| years more than others, I ran Linux on the desktop for a long
| time) to Windows Terminal and the windows included openssh.
| There are pros and cons. The new windows terminal is very
| nice but there's still a few annoyances. Having an actual ssh
| config and almost all the capabilities (no
| ControlMaster/ControlPath because no files as sockets) is
| very nice.
|
| I probably would have been fine staying with Putty though if
| pageant hadn't started having reliable (but weird) problems
| when handling more than a few auths from remote in a short
| period, making Ansible unusable when running from my work VM
| with agent forwarding.
| sorenjan wrote:
| You can also save ssh connections as profiles in the new
| terminal, to easily open a new tab with a SSH connection to
| some computer. I use it to quickly access my home server.
|
| https://docs.microsoft.com/en-
| us/windows/terminal/tutorials/...
| 6510 wrote:
| But does windos terminal provide a phone line to scream in?
| sam_lowry_ wrote:
| I wonder whether Wallix contributes to Putty development.
| That's one company I know that relies on Putty to survive.
| tikkabhuna wrote:
| I use Windows Terminal these days so I have the same
| copy/paste behaviour in WSL, remote SSH and cmd. Ctrl + C
| when highlighting text to copy, Ctrl + V to paste.
| tonetheman wrote:
| I too had to make a custom version of putty and LOVED the code
| the author wrote and how easy it was.
| collaborative wrote:
| A similar thing happened to me. But instead of tweaking PuTTy I
| tweaked Poderosa v4 which also has a permissive license
| aasasd wrote:
| It took me until the footnote to remember that this is Simom
| Tatham, who indeed also authored a fine no-nonsense collection of
| little puzzle games, which has been ported to a bunch of
| platforms.
|
| Here they are playable online on Tatham's site:
| https://www.chiark.greenend.org.uk/~sgtatham/puzzles/
|
| And here's the Android version:
| https://f-droid.org/en/packages/name.boyle.chris.sgtpuzzles/
| smegsicle wrote:
| His puzzle game collection is as perfect in its domain as PuTTY
| is as an ssh client.
|
| 'unruly' and 'signposts' are neat little timewasters, but
| devolve into a lot of counting at larger sizes..
|
| 'flip' with random shapes is a great fidget-style toy
|
| 'galaxies' at 'unreasonable difficulty' gets pretty crazy
|
| and plenty more, eg 'solo' provides every version of sudoku
| that you might want
| hn_throwaway_99 wrote:
| I thought this was such a fantastic response, particularly the
| sections where he talks about how he responds to companies
| demanding he reply _as if_ he has a contract with them.
|
| The main point being that, with the log4j issue (and others
| before that), the thing that's struck me when maintainers
| complain about not being appreciated or that they are working as
| hard as they can, unpaid, is that maintainers are under no
| obligation to respond at all, and that you can't control how
| other people will react.
|
| As someone who's dealt with anxiety for a long time (and as a
| former opensource primary maintainer), I can most definitely
| commiserate with feeling burdened by the expectations of others,
| but one of the best things I learned from therapy is that you
| can't control others emotions, you can only attempt to understand
| why you react as you do in certain situations.
| josephg wrote:
| You can't control others emotions. But setting healthy
| expectations goes a long way.
|
| One of my takeaways from the log4j issue is that the log4j devs
| should have never accepted the patches to add LDAP urls in the
| first place. Or perhaps, they should have removed that feature
| when it became burdensome. I would have. There's a pressure to
| accept whatever patches come your way as an opensource
| developer, but actually, you're under no obligation to do any
| such thing. Open source also means the source is available - so
| people are free to take your code, mix in their patches and
| maintain it themselves. And if they can't be bothered doing
| that, why should I shoulder that burden?
|
| I think us opensource devs should get more comfortable saying
| no. "I hear that this feature is important to you but it
| doesn't solve a problem I (or anyone else I know) cares about.
| Please maintain those patches in your own fork."
| xxpor wrote:
| They didn't add ldap support explicitly though, AFAICT. They
| added JNDI support, using a fairly small patch the guy who
| filed the request wrote for them. JNDI is a standard Java
| thing, so I'd guess they didn't think too deeply about all of
| the things it could do (not criticizing them, I'd probably
| have done the same thing).
| nradov wrote:
| Another alternative is to build a stable plug-in API rather
| than handling such requests in the core product. That way
| users with particular needs can code their own plug-ins
| rather than forking the entire code base. Now obviously open
| source maintainers have no obligation to do that, but purely
| from an engineering perspective it's an approach worth
| considering.
| chx wrote:
| > But I'm not sure I don't prefer it this way - a labour of love
| becomes a chore if you can't temporarily put it down when you're
| running low on love.
|
| That is a very wise comment.
| rectang wrote:
| > _And part of that is making all the necessary security tools
| available free of charge, because the more money they cost, the
| more companies will take a cost-benefit decision not to bother
| with them, neglecting the externalised cost of those knock-on
| effects of their insecurity on everyone else._
|
| Boy if _that_ doesn 't ring true. Kudos to PuTTY's author for
| making it so easy and low cost to do the right thing that those
| profit-seeking automatons we call "companies" actually will.
| mwcampbell wrote:
| The same logic applies to other concerns like accessibility,
| which is one reason why I'm making one of my contributions in
| that area [1] available as permissively licensed open source.
| It helps that my current funding source for that project also
| wants it to be open source.
|
| [1]: https://github.com/AccessKit/accesskit
| yjftsjthsd-h wrote:
| How nice it is to see somebody who actually read the license they
| released their code under and accepts the results:)
| gopher_space wrote:
| You don't ignore complaints from systems you use for work. This
| isn't at all a political issue for engineers.
| ralph84 wrote:
| Indeed. Though I wonder how many of the "big tech profits from
| open source and doesn't pay the maintainers" complaints are
| from actual maintainers vs. observers with a general axe to
| grind against big tech.
| arka2147483647 wrote:
| This is a nice post from a healthy person who is comfortable with
| his position, and isn't overburdened.
|
| However, what would happen if that were not so?
|
| What would happen if he Could not, Would not, or were Unable to
| work?
|
| It would all fall apart. And that is the inherent fragility in
| these small critical opensource projects.
| nradov wrote:
| Or someone else would fork the code, most users would
| eventually migrate to the new project, and life goes on.
| lolc wrote:
| Putty would keep running even if the maintainer disappeared.
| You can build it yourself. You can find somebody to maintain it
| for you. What's fragile about that?
| GekkePrutser wrote:
| Putty is great and I thank him for this work :)
|
| I only use it privately now because our work doesn't allow it
| anymore since openssh was included with Windows. But I still
| prefer it.
| demarq wrote:
| gem in the sites comments section
|
| > a labour of love becomes a chore if you can't temporarily put
| it down when you're running low on love. - simon.t
| georgeoliver wrote:
| The discussion around open source in the last few days lends
| weight in my view to the notion that most engineers are
| apolitical by nature. Unfortunately larger political entities
| (that is, BigCorp) have no reservations taking advantage of this.
| mch82 wrote:
| Great footnote from the article:
|
| > I'm often amused that people compliment me on things like PuTTY
| by telling me how much of their time it saved, whereas people
| compliment me on my puzzle game collection by telling me how much
| of their time it wasted.
| johnchristopher wrote:
| I don't understand that sentence. Why would his puzzle game
| collection waste anybody's time ? How come people know about it
| or even care ?
| bombcar wrote:
| The point of a puzzle game is a pastime - often considered to
| be "wasting" time.
| johnchristopher wrote:
| But why would his puzzle game collection waste someone
| else's time ? He's the one collecting the games or doing
| the puzzles so why would it waste anybody else's time but
| his ?
| bombcar wrote:
| He has a collection of puzzle games you can download and
| waste time playing.
| johnchristopher wrote:
| Gee, thanks :D. I didn't know that at all and the article
| has no hints about that. I came to that possibility but
| it was reaaaally out of context and off without prior
| knowledge. Thanks for confirming it, I really didn't
| understand what was what. edit: I took a look at the page
| again and there are no links or mentions of puzzles or
| something, I knew I wasn't crazy (or that dense) !
| hhmc wrote:
| The hint is clearly in the sentence you're confused about
| -- that he has also created some puzzle games is the only
| plausible explanation.
| johnchristopher wrote:
| FWIW, the first explanation I thought of was something
| like "he replied to people asking for help that he was
| busy doing some (jigsaw) puzzles and wouldn't answer for
| now, thus wasting people's time by playing with his
| puzzles rather than answering". edit: and by puzzle I
| meant that kind:
| https://en.wikipedia.org/wiki/Jigsaw_puzzle. Puzzle in my
| mother tongue is the word used for jigsaw puzzles. Other
| puzzles are called "brain teasers".
| zem wrote:
| ooh, that would explain why there was a small but steady
| stream of people posting jigsaw related stuff in
| rec.puzzles back in the usenet days!
| xapata wrote:
| It was implied. You don't need prior knowledge to deduce
| it, except the knowledge to ask the questions you wrote
| in your other comments.
| [deleted]
| [deleted]
| sig-io wrote:
| Because his puzzle-games collection are computer games
| you can play yourself, they can be found here:
| https://www.chiark.greenend.org.uk/~sgtatham/puzzles/ Or
| in the appstore/playstore.
|
| My current timewaster is 'patterns',a nonogram puzzle
| peatmoss wrote:
| Interestingly, I JUST finished reading (many years after
| it was published) The Player of Games written by Iain M.
| Banks. In it, there is an orbital habitat named Chiark.
|
| I assume that the interest in games and the hostname of
| his webserver are very much related.
| [deleted]
| hhmc wrote:
| It's a joke -- it means they enjoyed the puzzle game.
| johnchristopher wrote:
| I don't get it, the only way that sentence makes sense is
| if the backlink 3 Giving useful software means he's also
| sending people games or something which the article doesn't
| hint at.
| pjc50 wrote:
| He also has a games collection.
| https://www.chiark.greenend.org.uk/~sgtatham/puzzles/
| dsr_ wrote:
| "SGT Puzzles" or, sometimes, "Simon's Puzzles" is a
| collection of single player puzzle games that has been ported
| to many, many platforms.
|
| If you can think of a non-card solitaire game, it's probably
| implemented.
| kevinventullo wrote:
| If dealing with SSH tooling is itself a kind of puzzle, then I
| suppose the overall effect is that while people are still
| spending time solving puzzles, he made the puzzles more
| enjoyable.
| nijave wrote:
| I also find the opposite true--reminding colleagues that using
| OSS means we have to own and maintain the software whether the
| original community/author does or not.
|
| There seems to be a hesitance to fork abandoned or slow moving
| software to update/fix issues
| betwixthewires wrote:
| I think this is an important point that is often overlooked.
|
| When we release code under a free software license, we are
| _giving_ the software to the user, entirely. If you 're using
| software that _you own,_ not just merely have a license to, it
| is yours, be prepared to maintain it, and if you 're not
| prepared to maintain it, maybe relying on free-as-in-freedom
| software is a bad decision for you.
| thrower123 wrote:
| Code released under MIT and BSD licenses should really be
| thought of not as free, as in speech, or free, as in beer,
| but free, as in mattress on the side of the road.
| nerdponx wrote:
| It's easier to blame a nebulous 3rd party than to take
| responsibility.
| hutzlibu wrote:
| "reminding colleagues that using OSS means we have to own and
| maintain the software whether the original community/author
| does or not"
|
| No, _we_ do not have to do this. We wouldn 't get anything
| done, if we tried to maintain our full oss stack. Where would
| you start? In the linux kernel and move your way up to
| chromium/firefox? Have fun out there.
|
| "There seems to be a hesitance to fork abandoned or slow moving
| software to update/fix issues "
|
| And it is often easier to reimplement something from scratch,
| than taking up some underdocumented mess and trying to make
| sense of it.
|
| So I would rephrase that to
|
| " using OSS means we _can_ own and maintain the software
| whether the original community /author does or not."
| zamalek wrote:
| It's much simpler: if you run into a missing bug/feature,
| report it to the maintainers and ask them to assign it to
| you.
|
| If each individual licensee is itching their own scratches,
| then there's a really good chance the entire codebase gets
| love.
|
| Absolutist approaches are the death of all good things.
| "Some" is better than "none."
| johnklos wrote:
| What an excellent reminder of how easy and effective it can be to
| not be a jerk. I think there are plenty of people who could take
| some advice from this.
| gfnaq wrote:
| Are you referring to this?
|
| "But I've always been able to deal with this by pointedly
| reminding the most demanding people that I'm not at their beck
| and call. Most of those companies who mistake me for a
| contracted vendor are prepared to recognise their mistake once
| I point it out, and the more self-aware ones even apologise.
| I've not even found it necessary to be especially rude: a plain
| statement of the facts of life normally does the job. If one of
| them is rude to me, then the quintessentially British approach
| of a faint frown and a tone of mild reproof (or its email
| analogue) generally gets good results - probably a lot better
| than mouthing off like a sweary 13-year-old in return."
|
| It is easier if you are a native English speaker, because you
| have a wide range of expressions at your disposal to express
| disdain or irritation without going nuclear.
|
| It is also easier if you are the single author and not fighting
| with others in the same code base.
|
| So I don't think _easy_ in general to react maturely,
| especially if you have made large contributions to a shared
| code base and some pushy person comes along and makes demands
| (sometimes the impolite person is another contributor, which
| makes things worse).
|
| EDIT: Perhaps you meant that the person _making requests_
| should not be a jerk, in which case of course I fully agree.
| guenthert wrote:
| > It is easier if you are a native English speaker, because
| you have a wide range of expressions at your disposal to
| express disdain or irritation without going nuclear.
|
| This! I - non-native myself - worked with fellows who learned
| English late in life and sadly to some share from the wrong
| sources (action movies and rap music, I'm afraid). Naturally,
| at times they appeared quite immature. Otoh, I had the good
| fortune to work with some British fellows, which, at times,
| was quite educational.
| majkinetor wrote:
| I am very happy that there are such great dudes. Respect! I don't
| even use putty (but its fork, kitty).
|
| People forget one simple fact - WHEN YOU ARE PAYED, U ARE NO
| LONGER FREE.
|
| There is no substitute for passion work, where YOU are the man,
| and there is 0 chance somebody will influence you.
| mfrw wrote:
| Simon is genuinely one of the many folks that are represented by
| this xkcd [0] aptly. Thank You & and a huge shoutout to you and
| your software that a lot of us use day-in & day-out.
|
| [0]: https://xkcd.com/2347/
| teraflop wrote:
| The Putty maintainer is Simon Tatham (the commenter), not
| Andrew Ducker.
| mfrw wrote:
| :( Apologies and corrected. Thank you!
| xyzzy_plugh wrote:
| This sort of thing should be required reading by everyone who
| interacts with open source software.
|
| So many folks come in with a chip on their shoulder, missing the
| forest for the trees. If every developer modeled themselves after
| Tatham's attitude, we probably wouldn't be having most of these
| conversations around open source right now. And issue trackers
| might be a more peaceful place.
|
| edit: fixed the author!
| camtarn wrote:
| Tatham, rather than Ducker - the former wrote a comment on the
| latter's link blog.
| AndrewDucker wrote:
| Indeed, Simon drops by occasionally and leaves a comment if
| he fancies. This one was so good I thought it was worth
| sharing more widely.
| camtarn wrote:
| It's pretty darn weird realising that Simon is actually a
| person who knows somebody I've met IRL, rather than a
| mysterious benevolent entity responsible for manifesting
| the PuTTY suite fully-formed upon the internet ;)
| AndrewDucker wrote:
| I think I bumped into Simon through a bunch of other
| Cambridge people I chanced onto via
| Dreamwidth/Livejournal. I wouldn't say we were even
| slightly close, but if I was living closer to Cambridge
| and there wasn't a pandemic he's definitely amongst the
| people I'd be delighted to say hi to in person.
| hereforphone wrote:
| Next let's do one for the openssh people
| bityard wrote:
| These days, there seems to be (at least) two kinds of open source
| software developers:
|
| 0. Those who release their code under an open source license, in
| the hope that it will be useful to others in some way.
|
| 1. Those who do the same as above, with the additional hope that
| they will be paid for in some ill-defined way. And when they are
| not, take to twitter and blogs to proclaim, "somebody should
| really do something about this!"
| AndrewDucker wrote:
| I do think there is a real problem whereby very important code
| that a lot of people and systems depend on is looked after part
| time (or not at all) and nobody thinks about it until it has a
| severe bug.
|
| But that's almost orthogonal to the issue of whether the
| original developer should be paid because their code turns out
| to be useful to lots of people.
| prepend wrote:
| I think it's a problem, but don't think funding is a good
| solution. If funding was good, then commercial products would
| serve the purpose.
|
| I think a better approach is to encourage more smart
| developers contributing time. And if companies find an
| individual or a percent of a person's time on a project
| that's actually funding. But it's very different from trying
| to replicate direct funds.
| Helithumper wrote:
| > If funding was good, then commercial products would serve
| the purpose.
|
| Not sure that's a solid affirmation, especially given how
| there are many open source projects receiving funding that
| often outcompete their commercial counterparts. In
| particular I would point out the major open source backing
| foundations such as the CNCF and Linux Foundation who help
| to fund their own projects. Would you say that these two
| organizations and their projects are not serving their
| purpose or are being outcompeted by commercial offerings?
| toast0 wrote:
| It's also orthogonal to whether the code is free or paid,
| open or closed.
|
| Plenty of commercial code is barely looked after, and if it's
| closed and broken, it's a lot harder to fix.
| boondaburrah wrote:
| 2. those that start out as 0, but become 1 when it turns out
| their software they hoped would be useful winds up /costing
| them/ in some ill-defined way.
| ip26 wrote:
| Mainly, I gather, when users of their software start
| demanding support/bug fixes/enhancements.
___________________________________________________________________
(page generated 2021-12-12 23:00 UTC)