> The key idea: that he is an ILBP (or has been in 10 years) is absurd. He is not....
This attitude denies support to projects like NTPsec, for which he's the technical lead, your take on this concept only applies to current maintainers of existing projects.
Even then, he's converting GCC to git, the latter indirectly bears a great deal of "Internet Load".
I deny support for NTPsec specifically because I think it's an idea who's time has passed and now soldiers on because of inertia rather than good sense. It's sort of a meme that any project ending in "sec" is vestigal.
So no: they don't get my support. Why would they? Same with DNSsec. Useless project, please desist.
Can I just use this spot to remind everyone that when one of his commenters found an integer handling bug in the ntpsec codebase, Raymond said "I will neither confirm nor deny that I left it in there deliberately to see who would be sharp enough to spot it".
You can find it in the thread on his blog post titled (I am not making this up) "Thinking like a master programmer, redux".
Another fun fact: Cure53 audited ntpd and ntpsec concurrently, and found an instance where ntpsec rewrote a function and managed to regress out a patch for a security vulnerability, reintroducing it into their codebase. (By the way: overwhelmingly, with I think just one exception --- not counting the regression above --- the significant findings in that report applied uniformly to both ntpsec and ntpd).
Additional fun: until 2017, the ntpsec project apparently didn't even enable system/runtime mitigations like ASLR (according to the "Fix/Validation log" in the Mozilla SOS project).
Conclusion of that report: "While the NTPsec project emphasizes cleaning up its ancestors’ flaws, the difference regarding quality between the original code and the current implementation was not as great as anticipated."
Yes, this is unconstructive legalism. Is anyone out there checking whether he's written something about Iranian agents attaching strumpet mines to his car which he then successfully demagnetized with his Aikido?
Apropos of nothing at all, if someone were to gather his greatest hits into some sort of collection, it should probably be named Bearin' Load
As I understand it, NTPsec, a hostile fork of ntpd, is not a well-regarded project. Look at the "project accomplishments" page and see what they don't claim to have accomplished: the elimination, prior to publication, of any vulnerabilities in a msinstream/default ntpd configuration. They reorganized a bunch of code, swapped strcpy's (and strncpy's) with strlcpy, moved the project out of Bitkeeper (something that has nothing to do with security but is the first listed achievement on the site), and generally removed stuff nobody enables in ntpd.
Before it lost funding, Raymond was openly discussing rewriting the whole thing in Go, which sort of gives the lie to the idea that the project was operating in good faith.
Accusing ESR and the rest of the NTPsec project of fraud is a very serious claim. Could you explain in more detail why contemplating rewriting of most or all of the project in Go as he was learning the language is such a definitive tell?
I haven't accused anyone of the crime of fraud; fraud requires an active intent to acquire something of value through misrepresentation, and I'm happy to concede that forces other than intentional misrepresentation are at work here.
The premise of the ntpsec project was that ntpd was an unloved and mismanaged codebase that suffered, as a result, from security flaws. Raymond and his team would take over the code, in something similar to the manner the openssh project took over SSH, and eliminate security vulnerabilities. The project needed funding because ordinary developers wouldn't take on such a thankless task --- maintenance programming on a giant C codebase --- without compensation.
A reimplementation of NTP in a different language is not at all the same project --- as you can see from all the NTP projects that already exist in Go and Rust, for which nobody appears to be begging contributions. Not to mention the obvious fact that people don't run new implementations of NTP in Go or Rust because they can't, and so abandoning the ntpd codebase eliminates almost all of the purported value of the project to the Internet.
Most sites can switch from ntpd to something else. See for instance systemd timescynd which really doesn't have a reason to exist. And changing to chronyd was a very quick switch.
I think it is really inertia. Time synchronization goes unloved at a lot of places.
I don't disagree! In particular, a ground-up Rust replacement for the 20% of ntpd that everyone relies on would do a lot of good and be deployable virtually everywhere ntpd is today (Raymond proposed a Go rewrite --- I strongly prefer Go to Rust, but Go has a garbage-collected runtime).
But that's besides the point. Pushing a hostile fork of a popular project, raising money for it, and then abandoning the codebase entirely for a rewrite takes a "special" kind of chutzpah.
Some distance down the list is reposurgeon, which has been used to convert Gnu Emacs and many smaller/younger repositories to git, and is in the process of converting GCC: http://esr.ibiblio.org/?tag=reposurgeon
> gpsd is a service daemon that monitors a GPS attached to a serial or USB port, decodes the position/velocity/time information it sends, and republishes in a simple uniform format on an IANA-designated TCP/IP port. This enables multiple applications to read from a GPS without contention. The distribution also provides C and Python libraries to encapsulate the client side of talking with gpsd.
> Eric S. Raymond has been the technical lead of GPSD, a close peer project of NTP and one of its principal time sources, since 2004. GPSD has billions of deployments in Android smartphones world wide and is a mission-critical component in most of the world’s drones and driverless cars and robot submarines.
The top item, where he's also the technical lead:
> NTPsec
> A stripped down-security-hardened and generally improved version of the NTP reference code. Features code bulk reduced by a factor of 4, better monitoring and diagnostic tools, and Network Time Security.
Aspires to become one, but it's early in the process to see if it'll succeed.
Those are projects I've vaguely followed over the years. Reading down the list, this claims to be one, and the claim is partially falsifiable:
> giflib
> The ubiquitous service library for rendering GIFs. I handed off the project 1994 to avoid problems with the U.S. patent system, but accepted back the lead in 2012. This code had the odd effect of making me virtually omnipresent; it seems nobody has ever bothered to write a replacement, and it's now ubiquitous in web browsers, cellphones and gaming consoles. In a nicely ironic touch, it earned me an appearance in the credits of the Microsoft XBox.
GPSD was historically an important project, but I wouldn't call it "load bearing" in the same sense as core networking or service contributions.
It's also increasingly less important as the changes dropped in 4.19 are picked up by downstream software authors. Most software installations that care about gps are deployed in SBC configurations. A lot of other folks (e.g., hobbyists with external microcontrollers or arm SBCs) are parsing directly.
Folks most interested in linux attached hardware are either older school hardware hackers (who rely on this project) or folks using new LoRa radios (in which case that stuff is in the card and annoyingly locked down because it's part of some LoRa monetization schemes).
Sooooo yes. Not a bullshit project. But no, not a ILBS project.
I'll repeat the claim from the NTPsec project page:
> GPSD has billions of deployments in Android smartphones world wide and is a mission-critical component in most of the world’s drones and driverless cars and robot submarines.
And tools, to support for example the development of tools like Emacs and GCC, indirectly support "core networking or services".
You can narrowly define "core networking or service contributions" to exclude everyone by Linus Torvalds and Vint Cerf, but that's boring.
Having hand built and written software for a lot of drones, gpsd is not mission critical in most drones and I dunno where they get that claim.
You only use gpsd for embedded hardware when you have no drivers OR you're in 2017.
As for Android... again that capability is not important to the internet. It's important to Google cheaply getting a feature launched. This seems to me to be specifically ignoring the anti-corporate-centric intent of ESR's post to elevate his importance.
This essay is important without these sub-discussions. I fully agree with ESR that capitalism fails to sustain the internet and ruthlessly rides the backs of maybe four dozen skilled individuals in the world who, when they're gone, will be sorely missed and the world will suddenly become more expensive if others don't take up the call.
I just don't think ESR is in that critical group. He might be in a group of people writing widely used software. And that's great and important. But it really doesn't seem like what he himself is discussing.
> You can narrowly define "core networking or service contributions" to exclude everyone by Linus Torvalds and Vint Cerf, but that's boring.
Both of whom are well compensated for their work, no? Seems to me like we should look more critically at who is not being served by capitalism and help them since their work has value.
Raymond didn't write gpsd, did he? He took it over as the "maintainer". But as 'geofft observed awhile ago, if you actually git-log the project, you'll see that most of the substantive changes to gpsd aren't Raymond's.
Is it possible that what Raymond really has is a (waning) talent for getting his name attached to other people's work?
This is merely a list of the "critical Internet services or libraries" that he claims in one way or another, and ensuring the maintenance of such software is part of the whole thesis.
To scare quote that, and denigrate it over "substantive changes" ... well, I must thank for your solid support of his thesis.
I don't understand your objection. Either you do the work or you don't. There's no "critical Internet infrastructure" value in simply attaching your name to things.
Here you're blatantly accusing ESR of fraud, which per you "requires an active intent to acquire something of value through misrepresentation", to wit, soliciting money for "attaching his name to things".
We have no basis for a discussion of the work you claim he's not doing.
I don't know where you're going with this, you haven't given me anything to reply to here, and so I suppose I'll simply stand by what I wrote. I am certainly not accusing anyone of committing a crime.
But none of these are within the implicit scope of "Internet Load Bearing Software" though, are they? We're aware of his prior involvement with ILBS, but he hasn't been sharp in that game for a long time now.
But I think ESR's point about recognizing how load bearing individuals and small groups are being crushed in the wave of monetizable internet growth is a good point. We should folks on people currently in that position.
What generation of tape technology exhibited the problems you describe? I've never suffered such problems with original 1/2 mag tapes, DDS, or LTO.
BD-XL is wildly more expensive than LTO, although that won't matter if you can't get LTO to be reliable for you. Just checking now, B & H Photo which tends to have good prices and a good supply chain, $54.57 for 10 100GB BD-XL or a terabyte (https://www.bhphotovideo.com/c/product/1101544-REG/verbatim_...), not so cutting edge and still with competition LTO-6 from Fujifilm, quantity 20, $11/TB (https://www.bhphotovideo.com/c/product/1096090-REG/fujifilm_...). We also have a problem with no one worth trusting making cheapest single level BDR discs, the least worst is CMC, and I wonder how long before BD-XL sufferer the same problem.
You can't disconnect that bit of Newspeak from what really happened, a hostile takeover of the Navy Department by the Army and Air Force that previously comprised the War Department (all this a couple of year before publication). See https://en.wikipedia.org/wiki/Revolt_of_the_Admirals for just one bit of fallout from this.
Realistically, companies keep making older generation tape drives for a long time, for example, HP LTO-5 drives are still widely available from normal vendors like Newegg. And except for one discontinuity that's pretty clearly due to the change from metal particulate to BaFe, which is at the heart of this patent dispute, LTO offers two generation back read capability, and one generation back write capability: https://en.wikipedia.org/wiki/Linear_Tape-Open#Compatibility
> Backblaze's system architecture is fairly failure tolerant, so they use a huge number of "consumer" grade drives that would cause enterprise people to run away screaming.
I think what would "cause enterprise people to run away screaming" is that your data is stored by them in only one data center, and they don't offer a S3 compatible API (although someone may have addressed the latter).
Backblaze however correctly notes that if you really want redundancy, you get that from using two or more vendors.
Tape is physically a lot more robust than hard drives, the single endurance advantage the latter have is better tolerance of environmental extremes, heat and humidity.
From previous reading, both are banned, Fuji recently: https://www.theregister.co.uk/2019/05/31/lto_patent_case_hit... (Although previously I remember it was Sony that declined to start up LTO-8 production, after getting their importation of similar BaFe LTO-7 tapes banned, maybe el Reg got which was which confused in the article.)
This attitude denies support to projects like NTPsec, for which he's the technical lead, your take on this concept only applies to current maintainers of existing projects.
Even then, he's converting GCC to git, the latter indirectly bears a great deal of "Internet Load".