[Nut-upsuser] ISE review of I-D: deprecate command VER?
Manuel Wolfshant
wolfy at nobugconsulting.ro
Sun Mar 20 23:46:27 GMT 2022
On 3/21/22 00:41, Greg Troxel wrote:
> Manuel Wolfshant <wolfy at nobugconsulting.ro> writes:
>
>> Connected to outlook-com.olc.protection.outlook.com..
>> Escape character is '^]'.
>> 220 VE1EUR03FT022.mail.protection.outlook.com Microsoft ESMTP MAIL
>> Service ready at Sun, 20 Mar 2022 22:20:44 +0000
>>
>> |_ssl-date: 2022-03-20T22:22:21+00:00; 0s from scanner time.
>> Service Info: Host: AM5EUR02FT049.mail.protection.outlook.com; OS:
>> Windows; CPE: cpe:/o:microsoft:windows
>>
>> I am too lazy to check but I am willing to bet a beer that somewhere
>> over there there is an Exchange server
> Sure; these things leak. The real horror of the web is that clients
> send version and the server modifies behavior based on it.
That's a thing in the web design world because there were/are multiple
browsers in use which did/do not implement the same behaviour and
features. So the servers were forced to adapt themselves in order to use
whatever the client could do. I am not a web designer but a couple of
years ago a friend of mine asked me to help with creating the web
content for her startup and it was absolutely completely hideous to make
it look good on multiple devices. Initially it looked good on my desktop
( on which I run linux & firefox since 2000 ). However she complained
that the site was ugly and it took a forceps to find out that she was
looking at it from her mobile phone. Step two it kind of looked OKish on
MY phone ( DDG on an old Samsung ) but it STILL looked ugly on HER phone
( Samsung browser on a slightly newer Samsung phone ) . Step three it
was OKish on both phones but still looked like sh*t in Chrome. Because
why not ?
>
>>> In general, a fair question is "What if we deleted this? If we wouldn't
>>> have trouble, why are we keeping it?"
>> Connected to dell30-5x.
>>
>> Escape character is '^]'.
>> ver
>> Network UPS Tools upsd 2.7.4 - http://www.networkupstools.org/
>> quit
>>
>> I for one do not see much trouble in advertising the version of nut
>> and its website. But I am also the person who used lighttpd for 15
>> years and made it advertise itself as MS IIS and exim advertised as MS
>> Exchange, just for the fun of seeing failed exploits in the logs
> So how about saying that
>
> ver is optional, in that it can return some NULL type of string (empty
> line).
>
> clients may log ver or show to humans for debuging, but they MUST NOT
> change behavior based on it.
>
>
> The point of a protocol is to speak the defined protocol, and if there
> is really one protocol per but version, things are off the rails. (I'm
> not saying there is a problem, just that there's a line nobody should
> cross and I completely understand where the reviewer is coming from.)
For the time being I do not know of any software that acts as nut client
and was not compiled from nut sources. On the other hand, I do not see
the point in prohibiting the behaviour of the client based on the
version. Taking into account that the server implements and advertises
certain capabilities ( which are mostly dependent on the UPS hardware )
as far as I can see we have two options:
- an honest client which talks with the server in order to know what to
do on the client based on the information received from the server. That
would be the normal use case, I guess there is nothing to comment here.
The client does what the client has to do ( that is, receive information
, act on the local system , maybe send write commands to the server in
order to change some variable ).
- a nefarious client which wants to abuse the server based on
freshly-or-not-so-freshly announced vulnerabilities. In this case any
MUST or MUST NOT in the standard will be certainly ignored by the
programmer if it stands in her/his way.
Can you please elaborate a bit on your thoughts regarding the MUST NOT ?
I am not sure that I follow your concerns
wolfy
More information about the Nut-upsuser
mailing list