New web newsreader - requesting participation

Mon Jan 31 09:03:56 PST 2011

Stephan Soller wrote:
> Cache invalidation
> How do you handle this right now?

I don't. My program assumes that once it has a message, it never
needs to look to the server for it again.

(This is probably because of my own experience with mailing lists -
I use the mailing list interface to the newsgroup for reading. With
them, once the email is sent, it isn't going to change. I just assumed
the newsgroup worked the same way...)

> D website
>  I really like the layout.

The credit for that goes to Christopher Bergqvist. See the thread
"Suggestion: New D front page" in the main newsgroup. He posted
a png outlining his idea and I just ran with it :)

> The compile and run button is a bit of a security risk. I was able
> to read the /etc/passwd file for example.

Yeah, but that's normal on a multi user linux system. It doesn't
really break anything.

But, I moved the compile and run program to a separate VM to
further limit it. If you read that entire filesystem, it doesn't
really matter - it's an out of the box Slackware install. There's
nothing sensitive or private on it at all.

(Like it's domain name says, it is completely expendable info!)

> Denial of service attacks (e.g.
> endless loops) might still be a problem though.

I think this is solved with my use of setrlimit. If a process
eats more than 5 seconds of CPU time, the operating system kills it.

The limits are also set to 16 MB of RAM, 16 kb files, 3 forks,
and a bunch of other things.

(This might be interesting to test some programs - it will actually
get out of memory exceptions pretty easily!)

Write access is also limited to a single directory, in addition
to that individual size limit. Filling up the disk shouldn't
be possible.

The operating system firewall prevents most network activity, incoming
and outgoing. You can play with sockets, but only if they are working
with localhost, and even then, they aren't allowed to access the
ssh port.

Running a spam bot off it is impossible.

More than this, the VM is also limited. I set its memory and CPU
limits to about 1/5 the resources of the physical server. So if
you did manage to get root and max out your program, it won't
have a significant impact on the other things running with it (all
low traffic websites). An external firewall serves as layer 2 to
protect against spambots.

Finally, I did a VM snapshot after setting it up. I'm considering
running a scheduled script on my computer to blank and reset that
VM every night. Then, if you got root and worked around my other
restrictions, it'd be a temporary victory anyway, just until I
revert the snapshot again.

All in all, I think I have a pretty safe setup. If I'm proven
wrong, plan B is to use the ideone API instead.

> If you only display mails in the announcements which do not have a
> "References" header you will only get mails that started a new topic.
> This will filter out replies.

Yes, that's what I wanted. The idea is to show a feed of new things
coming out, rather than new replies on old ideas. This way, the
homepage shows the most variety.

> Happy programming

Thanks! If I have any questions, I'll be sure to ask. I've gotta
get back to my real work soon though (stupid Monday) so finishing
this will probably have to wait until next weekend.