> You are off course also wrong about systemd requiring the whole package or nothing. Just look at the compile switch options.
"Compile switch options" are entirely irrelevant to published binary system components, such as systemd in RHEL 7. It's certainly possible to compile many system tools without specific features: this does not make them "separate" from the systemd monolith.
> This just wrong; systemd dramatically increases security by eg. making use of "Kernel Capabilities"
Just like SELinux, which I'm afraid most developers and many admins turn off as their first step in setting up new systems. Using internal security structures requires extra development time: it may be well invested, but it's extra work that is already discouraging people form upgrading or activating such security features. Please do not assume that simply because a security structure is available that it will be welcomed, or used, by most developers.
Yes, there are certainly advantages to a more intelligent daemon for starting, and managing, critical services. But weaving it into system logging is a support nightmare, at variance with the older UNIX and Linux approach of using simple tools to do very specific tasks, and chaining them together as needed, rather than making a monstrous "does everything" tool.
The approach of using simple 'daemon' files has been repeatedly engineered, and done well, by such experts as Dan J. Bernstein with his old "daemontools" package. That tool worked very well, it just never became part of standard Linux distributions due to his previously very strange licensing. He's since discarded that licensing and made it public domain: I'd have frankly preferred to see something much lighter weight and independent such as daemontools, perhsps with patches to provide a more sensible layout of components. Dan apparently considers the Linux File System Hierarchy to be irrelevant to his work and tended to put his components in some odd places, but that was easily patched.
RHEL 7 actually has a number of my corporate colleagues and partners looking more deeply at Ubuntu. If they're going to have to rewrite that much of their software and toolkits to switch to RHEL 7, it effectively lowers the threshold to switch entirely to a different distribution. And I'm afraid RHEL 7 is already behind the leading edge on many of its components.
> As such, would someone please explain to me why the IRS allows anyone (let alone the IRS' top administrator) to download their emails to their desktops and delete them from their servers?
Many companies not only allow this, they demand it. As people send around Word attachments and use long email strings as their personal institutional memory, many core email systems simply do not have the space to hold that data. They favor smaller, leaner email environments that they have some hope of maintaining, and are not willing or funded to take on responsibility for the Terabytes of data an individual bureaucrat may generate in a few years use. By making the individual responsible for it, they make expunging or preserving it the individual's problem, not theirs.
The Congressman did not ask for the email. He asked for the "metadata", who sent it and when, and to whom. NSA monitoring and collection of metadata was shown as pervasive by Edward Snowden's revelations and by their own testimony to Congress, so it's difficult for them to now say "we only collect metadata". The IRS office that handles tax exemptions also corresponds with many international organizations, some of which are accused of being criminally based or fronts for illegal political activity. (Sinn Fein from Ireland, and numerous Muslim charities have been accused of this for years.)
It's a fascinating "damned if you do, damned if you don't" for the NSA. If they can't produce the metadata on request, then the amount of effort and money invested in their monitoring is clearly wasted. If they do produce the data, it verifies that they do, as a matter of course, monitor the ordinary business communications of peaceful, law abiding personnel going about charitable enterprise.
This is confusing: From my diabetic colleague: glucagon is dispensed in response to low blood sugar by the alpha cells of the pancreas, which apparently remain intact, not by the destroyed beta cells that are missing form the pancreas. If the diabetes is being treated well with insulin, why wouldn't the patient's normal glucagon response work well?
From my colleague reading over my shoulder: many diabetics lose their glucagon sensitivity, but apparently due to overall blood sugar control. They still have the relevant alpha cells, and my colleague would expect the glucagon sensitivity to recover with otherwise good diabetes control from manipulating the insulin alone..
Wikipedia has a useful list of pre-assigned IP addresses, at http://en.wikipedia.org/wiki/L.... I can certainly understand military groups wanting Class A records, because their equipment can last for decades and be very difficult to upgrade safely and robustly, and because they helped fund the early Intenet.
I do note that MIT has its own/8, or over 16,000,000 addresses. I do wonder if they could be convinced to switch to IPv6 and free up the space for legacy environments around the world.
This is affected profoundly by VPN based remote access, and the enormous variety of software that is incapable of handling multiple A records for the same address. Moreover, the DNS configurations needed to distribute those "regional" IP's for similar hostnames around the world is reasonable to someone who understands DNS. But I'm afraid that most administrators of it only have a passing knowledge of it, and have learned what buttons to click by looking it up on Google.
Handling different, hexadecimal numbering schemes with different tools to manage and parse them is going to be burdensome, and error prone, at every level. It's one of the many reasons most organizations have simply switched to using NAT and keeping only a few exposed IP addresses, and even using name based web services on an outward facing proxy. They have no need to expose their internal address space, and are better off without it for quite simple security reasons.
> anything to force a rewrite will be a very good thing.
Have you ever tried to debug a major of piece of software that has been re-architected, from the ground up? Most of the performance benefits are lost in relearning the lessons that the original authors solved in their early releases with the original architecture. The specific benefits that were used to justify the re-architecture are usually not only lost, but overwhelmed and buried in the lost performance, downtime, and shear wasted manpower of rebuilding from scratch.
This is not always the case: when the original architecture was some one-off of someone who is no longer able or willing to support the product, and that individual author never was convinced to solve the fundamental issues, and when there is already a better built tool available, then yes. But inventing a new physical technology to force a software rebuild would be the height of wasted effort.
The underlying danger is your assumption that a rewrite would improve the software quality. This should not be assumed.
"rm" doesn't follow symlinks. However, if you have a symlink that is a directory, and hit "tab" to complete the link's name, it will put a dangling "/" on the link name. _That_ is referencing the directory from effectively "inside" the actual target directory.
I've had several conversations with colleagues over why just hitting 'tab for completion' can be hazardous. This is one of the particular cases.
If you follow the specifications, there's no need for heat. No Linux variant has been certified according to the POSIX standards for UNIX, and most variants have subtle ways in which they diverge from the POSIX standards, at least subtly. Wikipedia has a good note on this at http://en.wikipedia.org/wiki/S...
Personally, I've found each UNIX to each have some rather strange distinctions from the other UNIX's, and using the GNU software base and the Linux based software packages to assure compatibility among the different UNIX variants.
Along with corporate "astroturfing" in the blogs and message boards of various sorts, I'm afraid. We've never been completely free from concealed or fraudulent advertising, but the fake "grassroots" campaigns have gotten out of hand. Even the "Tea Party" was apparently founded as an astroturf campain, with the concealed funding by Rupert Murdoch and the Koch Brothers. The Guardian did an excellent article about it at http://www.theguardian.com/com...: it might have been very, very difficult to print that in any of the Rupert Murdoch owned American newspapers.
The economics of pervasive broadband get quite strange. Doing cable based connections _as well as_ fiber _as well as_ DSL means a great deal of expensive, replicated infrastructure, and the installers arguing over space and time to run or repair their connections in very limited physical conduit strung between locations. Every time one of them needs to open up a conduit to upgrade or replace the physical layer they're putting every one else's connections at risk. It's an inevitable source of conflict among the companies.
It's often worse in the wiring closet where the physical connections are tied to network equipment. Shared cooling, power, and rack space are purchased, leased, subleased, and at risk of personnel from one group making mistakes and touching someone else's rack. Given the variety of network wiring styles, mistakes are inevitable. (Look up "bad network closet" on Google for excellent examples of the problem.)
I'm also afraid it's worst of all in the paperwork. The turf wars, the conflicting scheduling and mapping tools and policies, and the unwillingness to share data about infrastructure make the sharing of those common physical resources even more awkward with the current mix of technologies.
The Niven story is merely a well illustrated description of the problems, and an entertaining one.
Please examine the entirety of human history for _any_ examples of an "anarchic" society, especially one that survived more than one winter or dry season. Especially try to find even one that lasted long enough to raise a generation of children.
So do bad ones, much more quickly in good police departments.
I do wonder what happened to this officer: https://www.youtube.com/watch?... It should be used by the police as a training video of exactly how to handle people carrying rifles openly.
The inability of any social culture with more than a few members to function without an enforced hierarchy forming is well defined by the entire history of humanity, and even shown by observation of animal groups.
From the developers and stock personnel getting out of the business due to risks and low returns on their investments, especially as the FPGA driven technologies have replaced the extremely expensive datacenters with the "high-speed", "low latency" network links. It' has become a playpen for a few leading companies willing to invest tremendous capital in gaining microseconds of advantage over competitors.
It's profit _for the other High Frequency Trading programs_, which are the only programs ready to sip the profits from each set of trades rapidly enough as the price shifts. And the wildly cycling prices rarely restore the price to the original value: this ruins employee stock options and frightens investors and banks away from companies that were not in any way responsible for the oscillation.
The creation of FPGA's to sit directly on the fiber leaving the stock exchanges has utterly corrupted high frequency trading. _No one_ in their remote office can get equal notice of small changes, and those FPGA's can flip transactions repeatedly as a stock rises to its new level, buying and selling and buying and selling to everyone else, and pulling their profits out of what normal traders would see. The transaction cost is much too low, and the forgiveness time to recall an unwise transaction is much too generous.
Unfortunately, there are also inevitable phase delays and feedback loops in such systems that can destroy the value of companies, and investors, who get caught in the unplanned positive feedback. They can't be "programmed against" because programming against them would slow the transactions and lose the very profit that HFT is reaping.
> Because the system on which our liberty and freedom is based is more important than some guys setting of a bomb, no matter how large the attack
Let's be very careful about absolutes. I can certainly imagine circumstances in which a summary execution without a trial could be morally justified. But I'd expect the executioner to go to jail for murder.
> We just cannot - under any circumstance - accept a situation that a government can capture, try and imprison people without ever having to be accountable for those actions.
Which is not, legally, what they're doing. There is a review process available, with appeals courts. But the trial and review processes themselves would be secret. And that is hideously dangerous, as the recent experience with Guantanamo Bay in the USA has shown. When normal legal process is thrown aside in the name of "national security", you get the abuse and torture that have been documented there, with no perceptible benefit. There has been no evidence of any terrorism prevented by imprisoning people at Guantanamo Bay: instead, like Abu Ghraib, it's been another rallying cry for further rebellion and even terrorism in Iraq and Afghanistan.
If Western courts engage in secret trials and sentencing, then how can any "terrorist" nation have confidence in their justice and perceive them as other than repressive, dangerous foes?
Snowden did try to go through channels, See http://icontherecord.tumblr.co.... Snowden claims there was more, and that the NSA is trying to spin this sort of matter by concealing much o the correspondence and records: given the text of this sort of letter, I can believe it.
I'd be curious to learn more about his "training as a spy": it's difficult to dig through the newspaper reports for his actual sentences, instead of just the juiciest sound bites.
> Spreading it around to make absolutely sure that Pakistan is helping the Taliban and Al Queda to make good, constructive use of it
Nonsense. From their own testimony, NSA personnel have admitted that Snowden repeatedly went to his own superiors and his own chain of command about criminal behavior by his own colleagues and superiors, criminal behavior in violation of US law, the US constitution, and international treaties. He's done what he can to keep purely internal security documents _unpublished_, by attempting to filter it of genuine security risks to US personnel and civilians worldwide.
He had no rational recourse left to help prevent criminal, abusive behavior on a worldwide scale. I'm afraid that your protestations sound like those of corrupt police departments when discovered beating prisoners. "If you testify, it helps the drug lords."
Slashdot Mirror
> You are off course also wrong about systemd requiring the whole package or nothing. Just look at the compile switch options.
"Compile switch options" are entirely irrelevant to published binary system components, such as systemd in RHEL 7. It's certainly possible to compile many system tools without specific features: this does not make them "separate" from the systemd monolith.
> This just wrong; systemd dramatically increases security by eg. making use of "Kernel Capabilities"
Just like SELinux, which I'm afraid most developers and many admins turn off as their first step in setting up new systems. Using internal security structures requires extra development time: it may be well invested, but it's extra work that is already discouraging people form upgrading or activating such security features. Please do not assume that simply because a security structure is available that it will be welcomed, or used, by most developers.
Yes, there are certainly advantages to a more intelligent daemon for starting, and managing, critical services. But weaving it into system logging is a support nightmare, at variance with the older UNIX and Linux approach of using simple tools to do very specific tasks, and chaining them together as needed, rather than making a monstrous "does everything" tool.
The approach of using simple 'daemon' files has been repeatedly engineered, and done well, by such experts as Dan J. Bernstein with his old "daemontools" package. That tool worked very well, it just never became part of standard Linux distributions due to his previously very strange licensing. He's since discarded that licensing and made it public domain: I'd have frankly preferred to see something much lighter weight and independent such as daemontools, perhsps with patches to provide a more sensible layout of components. Dan apparently considers the Linux File System Hierarchy to be irrelevant to his work and tended to put his components in some odd places, but that was easily patched.
RHEL 7 actually has a number of my corporate colleagues and partners looking more deeply at Ubuntu. If they're going to have to rewrite that much of their software and toolkits to switch to RHEL 7, it effectively lowers the threshold to switch entirely to a different distribution. And I'm afraid RHEL 7 is already behind the leading edge on many of its components.
And of course, XKCD has an excellent cartoon about just this sort of problem:
http://xkcd.com/327/
It looks like little Bobby "Tables" has grown up, discovered herself, and changed her name and gender to Roberta "PHP".:
> As such, would someone please explain to me why the IRS allows anyone (let alone the IRS' top administrator) to download their emails to their desktops and delete them from their servers?
Many companies not only allow this, they demand it. As people send around Word attachments and use long email strings as their personal institutional memory, many core email systems simply do not have the space to hold that data. They favor smaller, leaner email environments that they have some hope of maintaining, and are not willing or funded to take on responsibility for the Terabytes of data an individual bureaucrat may generate in a few years use. By making the individual responsible for it, they make expunging or preserving it the individual's problem, not theirs.
The Congressman did not ask for the email. He asked for the "metadata", who sent it and when, and to whom. NSA monitoring and collection of metadata was shown as pervasive by Edward Snowden's revelations and by their own testimony to Congress, so it's difficult for them to now say "we only collect metadata". The IRS office that handles tax exemptions also corresponds with many international organizations, some of which are accused of being criminally based or fronts for illegal political activity. (Sinn Fein from Ireland, and numerous Muslim charities have been accused of this for years.)
It's a fascinating "damned if you do, damned if you don't" for the NSA. If they can't produce the metadata on request, then the amount of effort and money invested in their monitoring is clearly wasted. If they do produce the data, it verifies that they do, as a matter of course, monitor the ordinary business communications of peaceful, law abiding personnel going about charitable enterprise.
This is confusing: From my diabetic colleague: glucagon is dispensed in response to low blood sugar by the alpha cells of the pancreas, which apparently remain intact, not by the destroyed beta cells that are missing form the pancreas. If the diabetes is being treated well with insulin, why wouldn't the patient's normal glucagon response work well?
From my colleague reading over my shoulder: many diabetics lose their glucagon sensitivity, but apparently due to overall blood sugar control. They still have the relevant alpha cells, and my colleague would expect the glucagon sensitivity to recover with otherwise good diabetes control from manipulating the insulin alone..
Wikipedia has a useful list of pre-assigned IP addresses, at http://en.wikipedia.org/wiki/L.... I can certainly understand military groups wanting Class A records, because their equipment can last for decades and be very difficult to upgrade safely and robustly, and because they helped fund the early Intenet.
I do note that MIT has its own /8, or over 16,000,000 addresses. I do wonder if they could be convinced to switch to IPv6 and free up the space for legacy environments around the world.
This is affected profoundly by VPN based remote access, and the enormous variety of software that is incapable of handling multiple A records for the same address. Moreover, the DNS configurations needed to distribute those "regional" IP's for similar hostnames around the world is reasonable to someone who understands DNS. But I'm afraid that most administrators of it only have a passing knowledge of it, and have learned what buttons to click by looking it up on Google.
Handling different, hexadecimal numbering schemes with different tools to manage and parse them is going to be burdensome, and error prone, at every level. It's one of the many reasons most organizations have simply switched to using NAT and keeping only a few exposed IP addresses, and even using name based web services on an outward facing proxy. They have no need to expose their internal address space, and are better off without it for quite simple security reasons.
> anything to force a rewrite will be a very good thing.
Have you ever tried to debug a major of piece of software that has been re-architected, from the ground up? Most of the performance benefits are lost in relearning the lessons that the original authors solved in their early releases with the original architecture. The specific benefits that were used to justify the re-architecture are usually not only lost, but overwhelmed and buried in the lost performance, downtime, and shear wasted manpower of rebuilding from scratch.
This is not always the case: when the original architecture was some one-off of someone who is no longer able or willing to support the product, and that individual author never was convinced to solve the fundamental issues, and when there is already a better built tool available, then yes. But inventing a new physical technology to force a software rebuild would be the height of wasted effort.
The underlying danger is your assumption that a rewrite would improve the software quality. This should not be assumed.
"rm" doesn't follow symlinks. However, if you have a symlink that is a directory, and hit "tab" to complete the link's name, it will put a dangling "/" on the link name. _That_ is referencing the directory from effectively "inside" the actual target directory.
I've had several conversations with colleagues over why just hitting 'tab for completion' can be hazardous. This is one of the particular cases.
If you follow the specifications, there's no need for heat. No Linux variant has been certified according to the POSIX standards for UNIX, and most variants have subtle ways in which they diverge from the POSIX standards, at least subtly. Wikipedia has a good note on this at http://en.wikipedia.org/wiki/S...
Personally, I've found each UNIX to each have some rather strange distinctions from the other UNIX's, and using the GNU software base and the Linux based software packages to assure compatibility among the different UNIX variants.
The bitrot will change the checksums and cause the files to show up as modified.
Moreover, what will you do about a reported bitrotted file unless you have genuine archival backups somewhere else?
Along with corporate "astroturfing" in the blogs and message boards of various sorts, I'm afraid. We've never been completely free from concealed or fraudulent advertising, but the fake "grassroots" campaigns have gotten out of hand. Even the "Tea Party" was apparently founded as an astroturf campain, with the concealed funding by Rupert Murdoch and the Koch Brothers. The Guardian did an excellent article about it at http://www.theguardian.com/com...: it might have been very, very difficult to print that in any of the Rupert Murdoch owned American newspapers.
The economics of pervasive broadband get quite strange. Doing cable based connections _as well as_ fiber _as well as_ DSL means a great deal of expensive, replicated infrastructure, and the installers arguing over space and time to run or repair their connections in very limited physical conduit strung between locations. Every time one of them needs to open up a conduit to upgrade or replace the physical layer they're putting every one else's connections at risk. It's an inevitable source of conflict among the companies.
It's often worse in the wiring closet where the physical connections are tied to network equipment. Shared cooling, power, and rack space are purchased, leased, subleased, and at risk of personnel from one group making mistakes and touching someone else's rack. Given the variety of network wiring styles, mistakes are inevitable. (Look up "bad network closet" on Google for excellent examples of the problem.)
I'm also afraid it's worst of all in the paperwork. The turf wars, the conflicting scheduling and mapping tools and policies, and the unwillingness to share data about infrastructure make the sharing of those common physical resources even more awkward with the current mix of technologies.
The Niven story is merely a well illustrated description of the problems, and an entertaining one.
Please examine the entirety of human history for _any_ examples of an "anarchic" society, especially one that survived more than one winter or dry season. Especially try to find even one that lasted long enough to raise a generation of children.
So do bad ones, much more quickly in good police departments.
I do wonder what happened to this officer: https://www.youtube.com/watch?... It should be used by the police as a training video of exactly how to handle people carrying rifles openly.
Anarchy cannot _possibly_ be stable. This was illustrated very well in Larry Niven's story at http://www.larryniven.net/stor....
The inability of any social culture with more than a few members to function without an enforced hierarchy forming is well defined by the entire history of humanity, and even shown by observation of animal groups.
From the developers and stock personnel getting out of the business due to risks and low returns on their investments, especially as the FPGA driven technologies have replaced the extremely expensive datacenters with the "high-speed", "low latency" network links. It' has become a playpen for a few leading companies willing to invest tremendous capital in gaining microseconds of advantage over competitors.
It's profit _for the other High Frequency Trading programs_, which are the only programs ready to sip the profits from each set of trades rapidly enough as the price shifts. And the wildly cycling prices rarely restore the price to the original value: this ruins employee stock options and frightens investors and banks away from companies that were not in any way responsible for the oscillation.
The creation of FPGA's to sit directly on the fiber leaving the stock exchanges has utterly corrupted high frequency trading. _No one_ in their remote office can get equal notice of small changes, and those FPGA's can flip transactions repeatedly as a stock rises to its new level, buying and selling and buying and selling to everyone else, and pulling their profits out of what normal traders would see. The transaction cost is much too low, and the forgiveness time to recall an unwise transaction is much too generous.
Unfortunately, there are also inevitable phase delays and feedback loops in such systems that can destroy the value of companies, and investors, who get caught in the unplanned positive feedback. They can't be "programmed against" because programming against them would slow the transactions and lose the very profit that HFT is reaping.
> Because the system on which our liberty and freedom is based is more important than some guys setting of a bomb, no matter how large the attack
Let's be very careful about absolutes. I can certainly imagine circumstances in which a summary execution without a trial could be morally justified. But I'd expect the executioner to go to jail for murder.
> We just cannot - under any circumstance - accept a situation that a government can capture, try and imprison people without ever having to be accountable for those actions.
Which is not, legally, what they're doing. There is a review process available, with appeals courts. But the trial and review processes themselves would be secret. And that is hideously dangerous, as the recent experience with Guantanamo Bay in the USA has shown. When normal legal process is thrown aside in the name of "national security", you get the abuse and torture that have been documented there, with no perceptible benefit. There has been no evidence of any terrorism prevented by imprisoning people at Guantanamo Bay: instead, like Abu Ghraib, it's been another rallying cry for further rebellion and even terrorism in Iraq and Afghanistan.
If Western courts engage in secret trials and sentencing, then how can any "terrorist" nation have confidence in their justice and perceive them as other than repressive, dangerous foes?
Snowden did try to go through channels, See http://icontherecord.tumblr.co.... Snowden claims there was more, and that the NSA is trying to spin this sort of matter by concealing much o the correspondence and records: given the text of this sort of letter, I can believe it.
I'd be curious to learn more about his "training as a spy": it's difficult to dig through the newspaper reports for his actual sentences, instead of just the juiciest sound bites.
> Spreading it around to make absolutely sure that Pakistan is helping the Taliban and Al Queda to make good, constructive use of it
Nonsense. From their own testimony, NSA personnel have admitted that Snowden repeatedly went to his own superiors and his own chain of command about criminal behavior by his own colleagues and superiors, criminal behavior in violation of US law, the US constitution, and international treaties. He's done what he can to keep purely internal security documents _unpublished_, by attempting to filter it of genuine security risks to US personnel and civilians worldwide.
He had no rational recourse left to help prevent criminal, abusive behavior on a worldwide scale. I'm afraid that your protestations sound like those of corrupt police departments when discovered beating prisoners. "If you testify, it helps the drug lords."