From Newsgroup: muc.lists.freebsd.stable


--CwEx6avFF2kTSAjq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I'm really quite concerned about the plans to remove lpd. I
understand that there are security issues with lpd, even if I haven't
heard any reports of exploits in over a third of a century, but the
approach seems wrong to me. If we follow this direction, we can pare
down FreeBSD to a bare minimum (the kernel and what else?).

So what should be done? I'm explicitly copying core@ on this, though
I assume that you have all been following things. But this is a basic
issue for the project, so core@ (and not srcmgr@) should have a
position on this.

I understand that des no longer feels interested in maintaining lpd or
fixing its apparently numerous bugs. But there are alternatives:

1. Find somebody who *is* interested. I haven't seen anything on the
mailing lists asking for this. Why not?

2. Take the corresponding code from another BSD, like we have done in
the past. des tells us, without details, that the OpenBSD code
has the same bugs. I've asked numerous times, but nobody has told
me whether they have spoken with the OpenBSD project about it.
And what about NetBSD or DragonflyBSD?

3. Make it a shared project amongst BSDs, like make(1).

What seems completely wrong to me is to outsource it to a port,
especially one that is unmaintained, has a GPL license and has
conflicts with existing installations.

I've been investigating LPRng in more detail, and the more I look, the
worse it gets:

1. From the Makefile:

LICENSE= ART10 GPLv2

I thought that was supposed *not* to be GPL.

2. Also in the Makefile:

CONFLICTS= cups-base-1.[2-9]*

So many ports have CUPS as a dependency that this makes it
effectively a no-no. I was going to build the port to see what it
was like, but this makes it almost impossible. I haven't found
any of my systems without CUPS. So to answer des' initial
question: no, it is by no means a drop-in replacement for base
lpd.

3. When I tried to build (and before it refused), I got:

The LPRng port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

Since when do we rely on unmaintained ports?

FWIW, trying to install the package doesn't complain, though it would
overwrite a number of files. This looks like a bug in the package to
me.

That's about as far as I went with LPRng. On the face of it, CUPS
would make more sense, though I've had nothing but trouble with it.
At least it doesn't require the GPL. But I still find reliance on
*any* port to be wrong.

Greg
--
Sent from my desktop computer.
See complete headers for address and phone numbers.
This message is digitally signed. If your Microsoft mail program
reports problems, please read http://lemis.com/broken-MUA.php

--CwEx6avFF2kTSAjq
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSaG4ICvM64RvkvCawi5vKQUHpCIwUCaZ0QPwAKCRAi5vKQUHpC I7BnAKCAJnIJrcdU80/hvGdbfRDNRtvwCACdEXYzemw/22l4TZ6ul4Z/PVceNRo=
=PotH
-----END PGP SIGNATURE-----

--CwEx6avFF2kTSAjq--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On 02/23/2026 8:43 PM CST Greg 'groggy' Lehey <grog@freebsd.org> wrote:

I've asked numerous times, but nobody has told me whether they
have spoken with the OpenBSD project about it. And what about
NetBSD or DragonflyBSD?

Have _you_ spoken to them?

So, where are all these magical entities who are supposed to do
the boring daily grindy work like this? Have they ascended to
another plane, or are they just tired, old, people like me?

mcl


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable


--KXCw5CU1qGddHMG/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Monday, 23 February 2026 at 20:55:27 -0600, Mark Linimon wrote:

On 02/23/2026 8:43 PM CST Greg 'groggy' Lehey <grog@freebsd.org> wrote:

I've asked numerous times, but nobody has told me whether they
have spoken with the OpenBSD project about it. And what about
NetBSD or DragonflyBSD?

Have _you_ spoken to them?

Not yet. First I wanted to understand what has happened so far. But
I certainly will do so if nobody else has.

So, where are all these magical entities who are supposed to do the
boring daily grindy work like this?

They're collectively called the FreeBSD project. That was point 1 of
my message. I'm well aware of manpower limitations, thust the order
of my suggestions.

Have they ascended to another plane, or are they just tired, old,
people like me?

... or me. Most are younger than you or I are. And yes, the project demographic is changing, but that's for a different rant.

Greg
--
Sent from my desktop computer.
See complete headers for address and phone numbers.
This message is digitally signed. If your Microsoft mail program
reports problems, please read http://lemis.com/broken-MUA.php

--KXCw5CU1qGddHMG/
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSaG4ICvM64RvkvCawi5vKQUHpCIwUCaZ0WpgAKCRAi5vKQUHpC I2jJAJ9T4IbBUpq+ri7XfOnlIoaRBStRRQCfUrx06gCqJwoZOr+scyI52klcRvM=
=Nj6x
-----END PGP SIGNATURE-----

--KXCw5CU1qGddHMG/--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

--=_704475ec7db937be31238c23429e56dd
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowed

On 2026-02-23 18:55, Mark Linimon wrote:

On 02/23/2026 8:43 PM CST Greg 'groggy' Lehey <grog@freebsd.org> wrote:

I've asked numerous times, but nobody has told me whether they
have spoken with the OpenBSD project about it. And what about
NetBSD or DragonflyBSD?

Have _you_ spoken to them?

So, where are all these magical entities who are supposed to do
the boring daily grindy work like this? Have they ascended to
another plane, or are they just tired, old, people like me?

In this "old mans" humble opinion, Greg had a perfectly reasonable
concern. Being tired and grumpy has nothing to do with it.

If push comes to shove. This grumpy old man will take over the lpd source,
or find a suitable arrangement.

Des, can I get a copy of your work?

Greg, thanks for writing the complete BSD book. I still have it! :)
FreeBSD would not be what it is today, without it.

mcl

--Chris
--=_704475ec7db937be31238c23429e56dd
Content-Transfer-Encoding: 7bit
Content-Type: application/pgp-keys;
name=0xE512722F.asc
Content-Disposition: attachment;
filename=0xE512722F.asc;
size=3074

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGf/G0IBCADARuJc6IcwOe3jv7dQsP1X/EIHvCFExPbTmlMNFMXbMMccQUnV o8ayEn+wmTvPhw7uL3PDk7DQs16W1sN2b8UMFc804cVWNGtoG3rA+Np+TFEYlXJx eh5Q42VHptkuwzHKl+q2utkpRlS7uHyfjsInQAoHxLyi/wrsaZTHHhDbLLhJ5Ez0 arohQ2Q1w0M5e9rW8Fy5rpC7RpC6uO1SZMxcbdqURI/BBqxbiD1iW62cDWFkfFX+ dtaEXghFV7BIBMDSrgIunGoEfdMZgXys7O6bPWn8z0cuOZIPj4HrjoCYARyQ+sdc rjz/k06SLM/UvEZDorJhT4DbYrwMNvaPWJiPABEBAAG0HkNocmlzIDxic2QtbGlz dHNAYnNkZm9yZ2UuY29tPokBNQQQAQgAHwUCZ/8bQgYLCQcIAwIEFQgKAgMWAgEC GQECGwMCHgEACgkQVKBqaOUSci8bSwf/fK3QcTYXRMrv82HIp4SiGCSD7/bRmyWr ipv2vzknGFHxPBN4AEWIqF/U4j5oDXaodyU6xsy59Z47/lgbyzyZiVR6nmJVgZVf el/EgwnLt7ZuYGLLEhIN2pd9itJkB8PMPZrUHMWgIw8BxX5YFYGuyiNe9pGn0Coj 98t/v3fouhqksH+BpB4TBHJBBDSxSiMm66VTJX4Xcnpf0ZnQVP4GBuoyodnFBfdI wqftPLESsCC08lUhD2j7v2NRWwMi/q3ed8D6VCKPImBByYnBZL5gu56K5bwqaQfN itu06APuIYnG71qxgn1EPO63lovWP5NZGgOKvzs3K+JfPF79BiOUFbQjQ2hyaXMg PG1haWxvcEBocmNvbW11bmljYXRpb25zLm5ldD6JATEEEAEIABwFAmf/G0IGCwkH CAMCBBUICgIDFgIBAhsDAh4BAAoJEFSgamjlEnIvBH8H9RGwzZuU6+zvH1WjQa97 yWpEt9rC+BIBJThev2Cpls2LqBqIeIQVZPnyLAZWgFaiezL6+xbvcNt6OnfidIYa x8iRwCMC6/Bs8H2Wef9qfGxXi+jHPLYQk3juiZVmBhIK6FJZkzaW4wSiawofwzbp zqNxO8dZ0j4foaJZrNi8iqsvKjiiHoSFaJtumIThAeydI18CNLeFaS53sk5nad6I wCYeFKmJ/22dMP7DOFEgyG1iNYgY+AGREMkEsBiLpqYjJ5asK+1UdUy/TRly1hOt HHxCiX0Fh9ZYM2vLIj7sq4LKaMPGeYC3qTqBYugVeyz7LkiI2ft/BKveA5JxuYKk ZrQiQ2hyaXMgPG5hbm9nQGhyY29tbXVuaWNhdGlvbnMubmV0PokBMgQQAQgAHAUC Z/8bQgYLCQcIAwIEFQgKAgMWAgECGwMCHgEACgkQVKBqaOUSci+4Bwf8D0Ogk2/X ud/CsAgHozwzKPqfesL5SRWM14hLnU9/EHoplnZgNexbVY1wXIi2FYPo5cve9QxW Nmt3S3UTF9j2fGqv0wmeHv3EqogFUHnftLyWpbeTPOFDMIQp/BOD6ygfeXxXWxRT L6zvUkSrDtHvkQHPWGRxwP+ihWjpw9AQR/R4/qAuTAZZM0O7UnJEo4mWXatl+utF wegG2giwFTTxfF+1rMpFtUDjYCpRQ6ZmE+gC1mHUMoH7GJMQv12DbqwKrxtwGfd0 AJNO3ZDnxl24BmIfl1YqQGZQ5iIH7At4YItESbU45hoNNsG9oDrsil78EUCAtXHd UPScj+eXaeAkgrQfQ2hyaXMgPHBvcnRtYXN0ZXJAYnNkZm9yZ2UuY29tPokBMgQQ AQgAHAUCZ/8bQgYLCQcIAwIEFQgKAgMWAgECGwMCHgEACgkQVKBqaOUSci9o7Af+ Lwu5hJlI5HZNGwAll7QTIFZVW+y4OEg+amhxTDGbAAqlnSIkHC1KgkmIOOrThme3 kTFCqfIIsuP73yKxHq6kRG0zH5/7asAPNAUOfzD7B2o/gMyuTRKyG5r9f3UmACr4 6qvtFhIwROXr6+NNT2IKg3l0/8F58A0N/TR8D2PTHeo4x6jYcZQDCrCy7BAdk3cu V16k4z/1UzRa07b5McezbWL20cIaZ+dqNcCjKZpzPlTyTCGgrNNtaDpNVhoWUKMB YNcKql+tfC1IpX8l+IU6OBKcDKMkQojvO1QrZqY8MDJGo8jq/CtotQ8+IpAai3Bx dQEsxrxlcKTR4rUqvd8VGbkBDQRn/xtCAQgAv5Nv/aQN72xsLik+K73PJwpUmyhu vnI6stM6dSecylXVHjZ7C4n/m0eQEeQCl+9lByHR9N8H+WS3DtAd4pmciiIxRQLA JZiuaLYcy9ziy1h7130VoR7hhJHzo9FIhWkTGlCDX3egUZrYhMiwFUO8lNltLB8o TBvIrMSsnUzawtQjq/otv0Jf+oBPbG+gIYnAm7w6r86n/l+eVxf5eEoS7wV0DJfp b2jE5zWErWk8I/tq4e8T+1VQeVQR6wz+NrUCSxkPkpNAm19AFUHOk//yvMGWVlDW F6gr3ErN2a0w/kZ0lz3Msxsb87QT+MnJf/T3cuEqdTIoSk74BfNEAdMohQARAQAB iQEfBBgBCAAJBQJn/xtCAhsMAAoJEFSgamjlEnIvyvIH/26zytSVNDaxtprg7XtX LerIWf9RyVx8omCw/lXKRCcgkfwD7QR+nSZ0thWOGMpcnivjuReeVRkz/webUF47 BXJ/Tge07nrxdtyTIHBbp35fPIriaKaII6YWc2Ufdxwv+cD8PADS6gQWAlgrWLmn VmYtyHs4kwtiPZyUyuBdWnZal2GyYY0WVwYjvbk95eInwOaIdoTjesJ7ZhUFu155 r4hh9GlvM0uv8WJ5Mw9wvHa5fIM205I5g0IWC7yvTwwwKHlV4JQQOqMwfv569OEl 1GKqA12nSVziB1+UV+I0NqOABWi/MOi+IySPzYP+XgdPfRNx4vmoHYZwWOQ3t4Jd
TEM=
=oj6y
-----END PGP PUBLIC KEY BLOCK-----

--=_704475ec7db937be31238c23429e56dd--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

Greg 'groggy' Lehey <grog@freebsd.org> writes:

I'm really quite concerned about the plans to remove lpd. I
understand that there are security issues with lpd, even if I haven't
heard any reports of exploits in over a third of a century, but the
approach seems wrong to me.

Feel free to review https://reviews.freebsd.org/D55399 yourself, keeping
in mind that it addresses only _some_ of the issues I found in just
_one_ of the 28 source files that make up lpr / lpd. I estimate the
effort needed to overhaul the entire code base and add tests to about
200 hours or two months full-time. I haven't tracked my time so far but
I spent about three days full time on just this patch and a few others
(D55400 adds a socket timeout to mitigate another possible attack, a
bunch of other patches fix build system issues such as parts of lpr /
lpd going into the wrong pkgbase package or not being deleted when the
LPR option is turned off).
I would also like to point out that:
- I have not removed lpr / lpd. I have merely marked them deprecated
and proposed a plan to remove them in or around September 2027, which
is more than a year and half from now, unless they have significantly
improved in the interim.
- I have done more to improve lpd and keep it alive in the last 5 days
than everyone else combined in the last 25 years. But I can't
continue to neglect my paying customers to fix something that almost
nobody uses. Someone will have to step up to either do the work or
hire me to do it.
- Simply moving the code to ports will do nothing to address the
underlying issue, and I will strenuously object to adding software
with known vulnerabilities to the ports tree.
- Some of the issues with lpd cannot be fixed because they are inherent
to its design, which cannot be changed without breaking compatibility,
which is _the only reason_ to keep lpd. The rest of the world has
moved on to IPP.
- There is no spec. RFC 1179 is not a specification for LPDP, but a
description of how lpd works, written after the fact by a third party
who... didn't understand how lpd actually works.
DES
--
Dag-Erling Sm|+rgrav - des@FreeBSD.org
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On 2026-02-24 06:30 -05:00 EST, "Dag-Erling Sm|+rgrav" <des@FreeBSD.org> wrote:

- I have done more to improve lpd and keep it alive in the last 5 days
than everyone else combined in the last 25 years.

You have. I appreciate that. Thank you.

But I can't
continue to neglect my paying customers to fix something that almost
nobody uses. Someone will have to step up to either do the work or
hire me to do it.

Best,
Alex--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable


--02Fb3mvUe52Xhuhm
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tuesday, 24 February 2026 at 12:30:39 +0100, Dag-Erling Sm=F8rgrav wrote:

Greg 'groggy' Lehey <grog@freebsd.org> writes:

I'm really quite concerned about the plans to remove lpd. I
understand that there are security issues with lpd, even if I haven't
heard any reports of exploits in over a third of a century, but the
approach seems wrong to me.

Feel free to review https://reviews.freebsd.org/D55399 yourself, keeping
in mind that it addresses only _some_ of the issues I found in just
_one_ of the 28 source files that make up lpr / lpd.

No, I believe you. You've only quoted the start of my message, and
even there I say that I accept that there are security issues. That's
why I didn't copy you explicitly on my message.

The real point of the message was further down, which you don't quote,
and which core@ has not addressed at all: we shouldn't remove basic functionality from the base system.

Still, to your points:

I estimate the effort needed to overhaul the entire code base and
add tests to about 200 hours or two months full-time.

Noted. I didn't expect the current code to be salvageable.

I would also like to point out that:

- I have not removed lpr / lpd. I have merely marked them deprecated
and proposed a plan to remove them in or around September 2027, which
is more than a year and half from now, unless they have significantly
improved in the interim.

Right, but the current course doesn't seem to make that likely.

- I have done more to improve lpd and keep it alive in the last 5 days
than everyone else combined in the last 25 years. But I can't
continue to neglect my paying customers to fix something that almost
nobody uses. Someone will have to step up to either do the work or
hire me to do it.

Yes, I understood this too, just not the details.

- Simply moving the code to ports will do nothing to address the
underlying issue, and I will strenuously object to adding software
with known vulnerabilities to the ports tree.

Agreed. Moving to ports is exactly what I don't want to do.

- Some of the issues with lpd cannot be fixed because they are
inherent to its design, which cannot be changed without breaking
compatibility, which is _the only reason_ to keep lpd. The rest
of the world has moved on to IPP.

You've caught me here. I had never heard of IPP. My understanding is
that it, too, is not supported by the base system. What would it take
to change that? It looks as if it could be a good alternative.
Declaring lpd obsolete would be fine then, and people who really want
it could then use a port.

But CUPS is not the answer either, for most of the same reasons. In
addition, a comment from Theo (who confirmed that nobody had spoken to
the OpenBSD community):

well, let them enjoy cups. I have studied that monster a few times.
it is a huge piece of software lacking any attempt at a security
architecture, and a culture around it that will never make changes.
in such circumstances, i always stick to small pieces of software
where we can hopefully delineate the boundaries.

Would you see things differently?

Greg
--
Sent from my desktop computer.
See complete headers for address and phone numbers.
This message is digitally signed. If your Microsoft mail program
reports problems, please read http://lemis.com/broken-MUA.php

--02Fb3mvUe52Xhuhm
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSaG4ICvM64RvkvCawi5vKQUHpCIwUCaZ5rBAAKCRAi5vKQUHpC I0V9AJ9bq++wMbylcmVaVE48wTnIOmERdwCdGtMgL/oEFid+/hWfsGyqYtjRDyA=
=KBiS
-----END PGP SIGNATURE-----

--02Fb3mvUe52Xhuhm--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

--0000000000000b8909064b9e5663
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

IPP is the protocol that CUPS speaks. There may be other implementations,
but Linux having adopted CUPS /en masse/ makes it somewhat unlikely.

On Tue, Feb 24, 2026 at 10:23=E2=80=AFPM Greg 'groggy' Lehey <grog@freebsd.=

wrote:

On Tuesday, 24 February 2026 at 12:30:39 +0100, Dag-Erling Sm=C3=B8rgrav =

wrote:

Greg 'groggy' Lehey <grog@freebsd.org> writes:

I'm really quite concerned about the plans to remove lpd. I
understand that there are security issues with lpd, even if I haven't
heard any reports of exploits in over a third of a century, but the
approach seems wrong to me.

Feel free to review https://reviews.freebsd.org/D55399 yourself, keepin=

g

in mind that it addresses only _some_ of the issues I found in just
_one_ of the 28 source files that make up lpr / lpd.

No, I believe you. You've only quoted the start of my message, and
even there I say that I accept that there are security issues. That's
why I didn't copy you explicitly on my message.

The real point of the message was further down, which you don't quote,
and which core@ has not addressed at all: we shouldn't remove basic functionality from the base system.

Still, to your points:

I estimate the effort needed to overhaul the entire code base and
add tests to about 200 hours or two months full-time.

Noted. I didn't expect the current code to be salvageable.

I would also like to point out that:

- I have not removed lpr / lpd. I have merely marked them deprecated
and proposed a plan to remove them in or around September 2027, which
is more than a year and half from now, unless they have significantly
improved in the interim.

Right, but the current course doesn't seem to make that likely.

- I have done more to improve lpd and keep it alive in the last 5 days
than everyone else combined in the last 25 years. But I can't
continue to neglect my paying customers to fix something that almost
nobody uses. Someone will have to step up to either do the work or
hire me to do it.

Yes, I understood this too, just not the details.

- Simply moving the code to ports will do nothing to address the
underlying issue, and I will strenuously object to adding software
with known vulnerabilities to the ports tree.

Agreed. Moving to ports is exactly what I don't want to do.

- Some of the issues with lpd cannot be fixed because they are
inherent to its design, which cannot be changed without breaking
compatibility, which is _the only reason_ to keep lpd. The rest
of the world has moved on to IPP.

You've caught me here. I had never heard of IPP. My understanding is
that it, too, is not supported by the base system. What would it take
to change that? It looks as if it could be a good alternative.
Declaring lpd obsolete would be fine then, and people who really want
it could then use a port.

But CUPS is not the answer either, for most of the same reasons. In addition, a comment from Theo (who confirmed that nobody had spoken to
the OpenBSD community):

well, let them enjoy cups. I have studied that monster a few times.
it is a huge piece of software lacking any attempt at a security
architecture, and a culture around it that will never make changes.
in such circumstances, i always stick to small pieces of software
where we can hopefully delineate the boundaries.

Would you see things differently?

Greg
--
Sent from my desktop computer.
See complete headers for address and phone numbers.
This message is digitally signed. If your Microsoft mail program
reports problems, please read http://lemis.com/broken-MUA.php

--=20
brandon s allbery kf8nh
allbery.b@gmail.com

--0000000000000b8909064b9e5663
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">IPP is the protocol that CUPS speaks. There may be other i= mplementations, but Linux having adopted CUPS /en masse/ makes it somewhat = unlikely.</div><br><div class=3D"gmail_quote gmail_quote_container"><div di= r=3D"ltr" class=3D"gmail_attr">On Tue, Feb 24, 2026 at 10:23=E2=80=AFPM Gre=
g &#39;groggy&#39; Lehey &lt;<a href=3D"mailto:grog@freebsd.org">grog@freeb= sd.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"m= argin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left= :1ex">On Tuesday, 24 February 2026 at 12:30:39 +0100, Dag-Erling Sm=C3=B8rg= rav wrote:<br>
&gt; Greg &#39;groggy&#39; Lehey &lt;<a href=3D"mailto:grog@freebsd.org" ta= rget=3D"_blank">grog@freebsd.org</a>&gt; writes:<br>
&gt;&gt; I&#39;m really quite concerned about the plans to remove lpd.=C2=
=A0 I<br>
&gt;&gt; understand that there are security issues with lpd, even if I have= n&#39;t<br>
&gt;&gt; heard any reports of exploits in over a third of a century, but th= e<br>
&gt;&gt; approach seems wrong to me.<br>
&gt;<br>
&gt; Feel free to review <a href=3D"https://reviews.freebsd.org/D55399" rel= =3D"noreferrer" target=3D"_blank">https://reviews.freebsd.org/D55399</a> yo= urself, keeping<br>
&gt; in mind that it addresses only _some_ of the issues I found in just<br=

&gt; _one_ of the 28 source files that make up lpr / lpd.<br>

No, I believe you.=C2=A0 You&#39;ve only quoted the start of my message, an= d<br>
even there I say that I accept that there are security issues.=C2=A0 That&#= 39;s<br>
why I didn&#39;t copy you explicitly on my message.<br>

The real point of the message was further down, which you don&#39;t quote,<=

and which core@ has not addressed at all: we shouldn&#39;t remove basic<br> functionality from the base system.<br>

Still, to your points:<br>

&gt; I estimate the effort needed to overhaul the entire code base and<br>
&gt; add tests to about 200 hours or two months full-time.<br>

Noted.=C2=A0 I didn&#39;t expect the current code to be salvageable.<br>

&gt; I would also like to point out that:<br>
&gt;<br>
&gt; - I have not removed lpr / lpd.=C2=A0 I have merely marked them deprec= ated<br>
&gt;=C2=A0 =C2=A0and proposed a plan to remove them in or around September = 2027, which<br>
&gt;=C2=A0 =C2=A0is more than a year and half from now, unless they have si= gnificantly<br>
&gt;=C2=A0 =C2=A0improved in the interim.<br>

Right, but the current course doesn&#39;t seem to make that likely.<br>

&gt; - I have done more to improve lpd and keep it alive in the last 5 days=

&gt;=C2=A0 =C2=A0than everyone else combined in the last 25 years.=C2=A0 Bu=
t I can&#39;t<br>
&gt;=C2=A0 =C2=A0continue to neglect my paying customers to fix something t= hat almost<br>
&gt;=C2=A0 =C2=A0nobody uses.=C2=A0 Someone will have to step up to either =
do the work or<br>
&gt;=C2=A0 =C2=A0hire me to do it.<br>

Yes, I understood this too, just not the details.<br>

&gt; - Simply moving the code to ports will do nothing to address the<br> &gt;=C2=A0 =C2=A0underlying issue, and I will strenuously object to adding = software<br>
&gt;=C2=A0 =C2=A0with known vulnerabilities to the ports tree.<br>

Agreed.=C2=A0 Moving to ports is exactly what I don&#39;t want to do.<br>

&gt; - Some of the issues with lpd cannot be fixed because they are<br> &gt;=C2=A0 =C2=A0inherent to its design, which cannot be changed without br= eaking<br>
&gt;=C2=A0 =C2=A0compatibility, which is _the only reason_ to keep lpd.=C2=
=A0 The rest<br>
&gt;=C2=A0 =C2=A0of the world has moved on to IPP.<br>

You&#39;ve caught me here.=C2=A0 I had never heard of IPP.=C2=A0 My underst= anding is<br>
that it, too, is not supported by the base system.=C2=A0 What would it take=

to change that?=C2=A0 It looks as if it could be a good alternative.<br> Declaring lpd obsolete would be fine then, and people who really want<br>
it could then use a port.<br>

But CUPS is not the answer either, for most of the same reasons.=C2=A0 In<b=

addition, a comment from Theo (who confirmed that nobody had spoken to<br>
the OpenBSD community):<br>

=C2=A0 well, let them enjoy cups.=C2=A0 I have studied that monster a few t= imes.<br>
=C2=A0 it is a huge piece of software lacking any attempt at a security<br> =C2=A0 architecture, and a culture around it that will never make changes.<=

=C2=A0 in such circumstances, i always stick to small pieces of software<br=

=C2=A0 where we can hopefully delineate the boundaries.<br>

Would you see things differently?<br>

Greg<br>
--<br>
Sent from my desktop computer.<br>
See complete headers for address and phone numbers.<br>
This message is digitally signed.=C2=A0 If your Microsoft mail program<br> reports problems, please read <a href=3D"http://lemis.com/broken-MUA.php" r= el=3D"noreferrer" target=3D"_blank">http://lemis.com/broken-MUA.php</a><br> </blockquote></div><div><br clear=3D"all"></div><div><br></div><span class= =3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_s= ignature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div>brandon s allbery kf8= nh</div><div><a href=3D"mailto:allbery.b@gmail.com" target=3D"_blank">allbe= ry.b@gmail.com</a></div></div></div></div></div>

--0000000000000b8909064b9e5663--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On Feb 24, 2026, at 7:22rC>PM, Greg 'groggy' Lehey <grog@freebsd.org> wrote:

You've caught me here. I had never heard of IPP. My understanding is
that it, too, is not supported by the base system. What would it take
to change that? It looks as if it could be a good alternative.

CUPS!

Declaring lpd obsolete would be fine then, and people who really want
it could then use a port.

But CUPS is not the answer either, for most of the same reasons. In addition, a comment from Theo (who confirmed that nobody had spoken to
the OpenBSD community):

well, let them enjoy cups. I have studied that monster a few times.
it is a huge piece of software lacking any attempt at a security
architecture, and a culture around it that will never make changes.
in such circumstances, i always stick to small pieces of software
where we can hopefully delineate the boundaries.

Note that CUPS is maintained unlike BSD's lpd & it also used on MacOS.
It is licensed under Apache-2.0 and some exceptions. It comes with a
collection of programs including lpr, lpd etc.
It doesn't make sense to try to do a from-scratch lpd that supports IPP,
or spend any resources on such an effort as this is a complex subsystem.
Or updating lpd & friends to talk to modern printers.
Normally I am a fan of maintaining old programs but it doesn't seem
worth it here.--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

Greg 'groggy' Lehey <grog@freebsd.org> writes:

The real point of the message was further down, which you don't quote,
and which core@ has not addressed at all: we shouldn't remove basic functionality from the base system.

Why not? We do that all the time. I don't think a single year has gone
by in the project's history where we haven't removed something that had
become too costly to maintain to justify keeping it. You of all people
should remember that we retired Vinum just over a year ago, to pick just
one example.
And again, in all caps this time: I HAVE NOT REMOVED LPD. So how about
you go lobby the Foundation to hire me to fix it, instead of asking Core
to censor me for something I haven't done?
DES
--
Dag-Erling Sm|+rgrav - des@FreeBSD.org
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

Brandon Allbery <allbery.b@gmail.com> writes:

IPP is the protocol that CUPS speaks. There may be other
implementations, but Linux having adopted CUPS /en masse/ makes it
somewhat unlikely.

IPP is the protocol that all modern network printer speaks. It predates
CUPS by several years. Some printers also support LPDP for historical
reasons, but as previously mentioned, there is no proper spec for LPDP,
and it's a shitty protocol anyway.
To summarize, lpr / lpd were originally written to run on a single host
and communicate solely through the filesystem; later on, someone tacked
on network support in the form of what is effectively a file transfer
protocol that lets lpd on one host write to another host's spool. And I
do mean a file transfer protocol; there are practically no constraints
on what the client may send. Until 1997, if you could connect to lpd,
you could write anywhere on the filesystem that lpd could access. Still
today, you can fill the spool with garbage that lpd will never process
or delete, and under some circumstances remotely delete files you didn't create, possibly including lpd's own lock file. All of this with no authentication whatsoever beyond a simple source address:port check.
DES
--
Dag-Erling Sm|+rgrav - des@FreeBSD.org
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

John Baldwin <jhb@FreeBSD.org> writes:

If the standard for being in ports was "no known vulnerabilities" I
think we wouldn't have much of a ports collection.

That is in fact the standard. Ports with known vulnerabilities get
marked FORBIDDEN and are removed unless fixed within a few months.
DES
--
Dag-Erling Sm|+rgrav - des@FreeBSD.org
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On 25/02/2026 19:21, Marek Zarychta wrote:

[...]

In the case of lpd(1) and the traditional printing toolchain, no one has such illusions. For a quarter of a century now, all new deployments have been based on the CUPS printing system, which is permissively licensed
and readily available in the ports.

no one, all and everybody, these assumptions can be very fragile in discussions of this type (history has proven this many times) :)

Best regards
Miroslav Lachman



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21b-Linux NewsLink 1.2