Am I the only one having issues trying to get this working?
The webserver starts just fine, but once I add the index.html with zip as in the example, it stops working.
This is on Mac 10.15, CentOS 8 and Ubuntu 18.04 LTS.
Centos:
[centos@test ~]$ ./redbean.com -vv
error: Uncaught SIGSEGV on test.novalocal
./redbean.com
EINVAL/err=22/errno:2/GetLastError:0
Linux test.novalocal 4.18.0-240.10.1.el8_3.x86_64 #1 SMP
Mon Jan 18 17:05:51 UTC 2021
On the mac:
~ my-Maccie$./redbean.com -vv
Killed: 9
On Ubuntu:
ubuntu@localhost:~$ ./redbean.com -vv
error: Uncaught SIGSEGV on localhost
./redbean.com
EINVAL/err=22/errno:2/GetLastError:0
Linux localhost 4.15.0-136-generic #140-Ubuntu SMP Thu Jan
28 05:20:47 UTC 2021
IIRC, from vague memories of things flying past, Big Sur won't let a modified binary run once it's been checked by Gatekeeper. Which means the first run gets checked and notarised but when you add the `index.html`, the on-disk binary has changed and Gatekeeper won't allow it to run - I guess it's to prevent malicious code modifications, etc.
It looks like you can get around this by adding Terminal.app as a "developer tool" (i.e. it can create processes without hitting Gatekeeper), maybe that works? (once I did that and relaunched terminal, I can run cosmopolitan binaries).
> This will also prevent distribution from outside of their appstore giving it will prevent updates.
I think that if an app is correctly codesigned, Gatekeeper has no issue with it. Also if it's not correctly codesigned but you've ticked "allow unsigned binaries", you can still run them.
> the mothership knows everything you run on your machine
I can't remember the details from the last time this came up but IIRC it only sends a hash and possibly even then only the first time you launch it. Either way, they're not going to block out-of-appstore distribution except if you're a known malicious actor.
Author here. It works fine on RHEL5 / CentOs5 for me. I can also confirm RHEL7. Please file an issue. What will help in particular is if you can give me the faulting RIP address. That should be in the crash report or in your dmesg log.
$ zip -v
Copyright (c) 1990-2008 Info-ZIP - Type 'zip "-L"' for software license.
This is Zip 3.0 (July 5th 2008), by Info-ZIP.
Currently maintained by E. Gordon.
Addition of index.html shrinks(!) redbean.com from size 204800 to size 204348, with changes starting from char 172938. That clearly corrupts the portable executable format.
EDIT: I am an idiot: it's working just fine... the messages looked like an error to me, but visiting https://localhost:8080/ does show a nice HTML page!
No luck for me on win10. I can open the archive but get errors trying to add to it. 7zip and win explorer zip both fail with either unsupported or corrupted archive errors.
Since it's a .com file, after downloading, win 10 also claims 'this dangerous file comes from the internet and is blocked' which you have to check a box to unblock it. I did, but still get the errors trying to add to it.
Yeah another killed: 9 on Mac BigSur.
Could you export the tool in a way that we don't have to zip new files into it? Instead we would have to gcc the whole thing once and be done with it.
Author here. The zip shouldn't need to be saved in any special format. If WinRAR is posing problems then please file an issue because I'd like to fix that. That error doesn't seem like something that would indicate executable corruption. I want to learn more.
While Cloudflare might contact their customers, it's no guarantee that the customers will actually notify their users, so I think this is a good way to find out which sites I might have to change my passwords and API keys on.
The email Cloudflare is sending out to customers where Cloudflare didn't find any cached info isn't particularly alarming: http://pastebin.com/pUnKJE3J
I wouldn't be surprised if people receiving this took no action.
Well, in the Google Zero Project issue ticket, the engineer said he felt Cloudflare tried to downplay the severity and it took them extra days and a lot of demanding from Google Zero Project team to finally get a draft (which from a legal and a company reputation PoV that makes sense; you need a lot of eyes on the draft before going out to the public).
I think not every "leak" is sensitive, but there are definitely instances Cf and Google both found very sensitive information.
For all of you guys recommending using fake accounts, do remember that right before christmas, Obama administration signed in new rules[1], giving NSA leeway to share their collected data with 16 other agencies, including DHS, which CBP falls under. So you may get caught if you try to pull these shenanigans off. US agencies are no strangers to mission creep when it come's to sharing data, as seen recently in this article from Intercept on how FBI is building a national watchlist for companies that want to have realtime updates on whether their employees have committed any crimes while employed. [2]
Two quotes from the NYT article that I feel are important to have in the back of your head when you plan your fake accounts:
Now, other intelligence agencies will be able to search directly through raw repositories of communications intercepted by the N.S.A. and then apply such rules for “minimizing” privacy intrusions.
But Patrick Toomey, a lawyer for the American Civil Liberties Union, called the move an erosion of rules intended to protect the privacy of Americans when their messages are caught by the N.S.A.’s powerful global collection methods. He noted that domestic internet data was often routed or stored abroad, where it may get vacuumed up without court oversight.
Let's say CBP get's a tool in a couple of months that let's their border agent search up any passenger through the NSA raw data. That search may then produce your real accounts. Let's say they do this before questioning you, and you then provide them with your fake accounts, that will not look good.
And if one starts applying your principle at a workplace, you end up with the whole company being afraid of doing anything at all, to avoid being fired.
No, there is a level of competency where once you make mistakes below that, firing is the right move.
If a surgeon keeps killing patients because he keeps forgetting to wash his hands, then he needs to be fired.
If a developer skips all company policies and deploys directly to production without a good reason, then he needs to be fired.
There are reasonable mistakes, then there are errors resulting from wreckless actions indicative of a larger problem with the person's view towards their work.
Nothing gets me in focus like the mixes over at musicforprogramming.net
Great selection of ambient/non-invasive electronica.
If that doesn't cut it, Burial and Vangelis always does the trick. And for sessions where it's only some brute force grokking, some uplifting jazz from accujazz.com
Well, one of the risks that you face in a state-sponsored advisory is industrial espionage, and that is as likely to come from China [1] as it is coming from the NSA [2].
This may just be paranoia on my part, but wouldn't being a target of industrial espionage by the Chinese make you already important/big enough to have the NSA working for rather than against you?
Centos: [centos@test ~]$ ./redbean.com -vv
On the mac: ~ my-Maccie$./redbean.com -vv Killed: 9On Ubuntu: ubuntu@localhost:~$ ./redbean.com -vv