Discussion:
Process Software to bring back Purveyor?
(too old to reply)
u***@gmail.com
2016-10-22 19:45:41 UTC
Permalink
My dream of running TCPware Purveyor webservers on x86
would become a reality. Time to ditch that unix apache garbage
and run an unbeatable combo that could rule the world! :)
Scott Dorsey
2016-10-22 22:49:55 UTC
Permalink
Post by u***@gmail.com
My dream of running TCPware Purveyor webservers on x86
would become a reality. Time to ditch that unix apache garbage
and run an unbeatable combo that could rule the world! :)
Purveyor was very simple, probably a couple pages full of code. You
could readily write something like that yourself in DIBOL or BASIC...
just wait for a GET statement, parse it, and return the contents of a file.
Shouldn't take more than a couple hours.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
David Froble
2016-10-23 03:22:52 UTC
Permalink
Post by u***@gmail.com
My dream of running TCPware Purveyor webservers on x86
would become a reality. Time to ditch that unix apache garbage
and run an unbeatable combo that could rule the world! :)
You don't seem to be a fan of WASD ???
Neil Rieck
2016-10-26 11:29:42 UTC
Permalink
Post by David Froble
Post by u***@gmail.com
My dream of running TCPware Purveyor webservers on x86
would become a reality. Time to ditch that unix apache garbage
and run an unbeatable combo that could rule the world! :)
You don't seem to be a fan of WASD ???
I agree. WASD is the alternative to older products like Purveyor and OSU DECthreads because WASD has up-to-date OpenSSL support.

Our system was recently audited by Corporate Security who did not like our current version of OpenSSL. I told them that the system in question did not have anyone doing secure transactions and here was their response: update OpenSSL or close port 443.

Neil Rieck
Waterloo, Ontario, Canada.
http://www3.sympatico.ca/n.rieck/docs/dark_age.html
u***@gmail.com
2017-02-04 18:02:40 UTC
Permalink
Post by Neil Rieck
Post by David Froble
Post by u***@gmail.com
My dream of running TCPware Purveyor webservers on x86
would become a reality. Time to ditch that unix apache garbage
and run an unbeatable combo that could rule the world! :)
You don't seem to be a fan of WASD ???
I agree. WASD is the alternative to older products like Purveyor and OSU DECthreads because WASD has up-to-date OpenSSL support.
Our system was recently audited by Corporate Security who did not like our current version of OpenSSL. I told them that the system in question did not have anyone doing secure transactions and here was their response: update OpenSSL or close port 443.
Neil Rieck
Waterloo, Ontario, Canada.
http://www3.sympatico.ca/n.rieck/docs/dark_age.html
why can't Purveyor's OpenSSL be updated, not that hard.
Scott Dorsey
2017-02-05 23:14:11 UTC
Permalink
Post by u***@gmail.com
Post by Neil Rieck
Our system was recently audited by Corporate Security who did not like our current version of OpenSSL. I told them that the system in question did not have anyone doing secure transactions and here was their response: update OpenSSL or close port 443.
That is a perfectly reasonable response. If you aren't doing secure
transactions, what is port 443 open for in the first place? You have
twice the vulnerability exposure without any added security. Shut it
down and save yourself grief. No one will notice the difference.
Post by u***@gmail.com
why can't Purveyor's OpenSSL be updated, not that hard.
Does Purveyor even support https:? I thought the whole point of it was
that it was very lightweight; it waits for a GET and then dumps a file
out. Very little to go wrong or become insecure.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
Stephen Hoffman
2017-02-06 23:40:29 UTC
Permalink
Post by Scott Dorsey
Post by Neil Rieck
Our system was recently audited by Corporate Security who did not like
our current version of OpenSSL. I told them that the system in question
did not have anyone doing secure transactions and here was their
response: update OpenSSL or close port 443.
That is a perfectly reasonable response. If you aren't doing secure
transactions, what is port 443 open for in the first place? You have
twice the vulnerability exposure without any added security. Shut it
down and save yourself grief. No one will notice the difference.
As a workaround, sure. There's little difference in vulnerabilities
between TCP 80 HTTP and TCP 443 HTTPS, and you're more likely to have
ads and other junk injected into your web pages by ISPs and Wi-Fi
services if you have folks accessing your site via 80. More than a
little of that data is scraped and resold, too. That's all assuming
your web pages are even what the client browser reaches, and not some
other site. Sometimes just knowing what web pages are accessed can
leak data, too.

https://obamawhitehouse.archives.gov/blog/2015/06/08/https-everywhere-government

https://https.cio.gov

I'm certainly remiss here too, and really should be serving everything
only via HTTPS.

Having a down-revision OpenSSL effects connections beyond Apache, too.
--
Pure Personal Opinion | HoffmanLabs LLC
Stephen Hoffman
2017-02-06 16:01:19 UTC
Permalink
Post by u***@gmail.com
why can't Purveyor's OpenSSL be updated, not that hard.
PHB: "Anything I Don't Understand Must Be Easy."
http://dilbert.com/strip/1994-10-17

It isn't easy to put together and secure a modern web server, and
updating something as dated as Purveyor to what Apache or nginx or
lighttpd or iis or another server now provides — equivalent to any web
server that's been kept current — is a whole lot of work.
--
Pure Personal Opinion | HoffmanLabs LLC
Scott Dorsey
2017-02-06 16:34:06 UTC
Permalink
Post by Stephen Hoffman
Post by u***@gmail.com
why can't Purveyor's OpenSSL be updated, not that hard.
PHB: "Anything I Don't Understand Must Be Easy."
http://dilbert.com/strip/1994-10-17
It isn't easy to put together and secure a modern web server, and
updating something as dated as Purveyor to what Apache or nginx or
lighttpd or iis or another server now provides — equivalent to any web
server that's been kept current — is a whole lot of work.
There is a valid niche for tiny stripped-down web servers, and I think
that although Purveyor filled that niche well that making something else
similar might do the job just as well.

This wouldn't be a modern web server, this would be a thing that just takes
a get and sends out a file. No backend cgi-bin stuff. No SSL. Just static
calls and static files.

The fewer features you have, the fewer possible security holes you have,
and the easier it is to maintain long-term.

Take everything out. If it's not the right tool for the job, that's okay,
there is apache for when you need a modern web server. Because it IS the
right tool for some jobs.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
Stephen Hoffman
2017-02-06 23:52:20 UTC
Permalink
Post by Scott Dorsey
There is a valid niche for tiny stripped-down web servers, and I think
that although Purveyor filled that niche well that making something
else similar might do the job just as well.
True. But what part of the current or future installed base is
looking for that on OpenVMS servers and clusters, and that's also
interested in learning a new and different web server from Apache or
nginx or lighttpd or such?

Maybe fire up https://github.com/ovidiucp/TinyWebServer on an Arduino
and use that?

Or Windows 8 or 10 with IIS?
https://technet.microsoft.com/en-us/library/hh831515(v=ws.11).aspx

But if you're inclined and need one of these static configurations, see:
https://www.staticgen.com
https://staticsitegenerators.net

Can't say I see a burgeoning future in non-HTTPS web services either,
but I digress.

In some distant future OpenVMS with a package manager and related,
this'd be a great thing to have for some folks. But we're a ways from
that future. I'd be happy to see Apache or nginx and related giblets
migrated into the base OpenVMS distro and integrated, too. Right
alongside integrated IP networking.
--
Pure Personal Opinion | HoffmanLabs LLC
j***@gmail.com
2017-02-02 22:05:53 UTC
Permalink
Post by u***@gmail.com
My dream of running TCPware Purveyor webservers on x86
would become a reality. Time to ditch that unix apache garbage
and run an unbeatable combo that could rule the world! :)
hahah glad to hear it has fans.. I worked there as a college intern back in the day.
u***@gmail.com
2017-02-09 13:58:23 UTC
Permalink
Post by u***@gmail.com
My dream of running TCPware Purveyor webservers on x86
would become a reality. Time to ditch that unix apache garbage
and run an unbeatable combo that could rule the world! :)
purveyor doesn't have ssl, news to me I used it all the time.
Scott Dorsey
2017-02-09 15:06:56 UTC
Permalink
Post by u***@gmail.com
Post by u***@gmail.com
My dream of running TCPware Purveyor webservers on x86
would become a reality. Time to ditch that unix apache garbage
and run an unbeatable combo that could rule the world! :)
purveyor doesn't have ssl, news to me I used it all the time.
Does it have SSL?

Well, then it's too heavyweight. No good, I want something smaller.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
Stephen Hoffman
2017-02-10 16:37:12 UTC
Permalink
Post by Scott Dorsey
Does it have SSL?
Well, then it's too heavyweight. No good, I want something smaller.
Why bother with http? Use a telnet server, or maybe snmp? But it
really seems you might be looking for assistance with something akin to
IoT, so why not look there? Contiki or Riot or TinyOS or OpenWSN or
FreeRTOS or other options are available, and may or will serve your
requirements better? Or you're working with massive network loads
and IoT-style security requirements and there are approaches for doing
that with OpenVMS and with other operating systems; push notifications
or otherwise. Some additional details around the app requirements are
necessary for a more meaningful answer.
--
Pure Personal Opinion | HoffmanLabs LLC
Scott Dorsey
2017-02-10 19:17:32 UTC
Permalink
Post by Stephen Hoffman
Post by Scott Dorsey
Does it have SSL?
Well, then it's too heavyweight. No good, I want something smaller.
Why bother with http? Use a telnet server, or maybe snmp?
Because all the kids want to use web browsers for everything.
Post by Stephen Hoffman
But it
really seems you might be looking for assistance with something akin to
IoT, so why not look there? Contiki or Riot or TinyOS or OpenWSN or
FreeRTOS or other options are available, and may or will serve your
requirements better? Or you're working with massive network loads
and IoT-style security requirements and there are approaches for doing
that with OpenVMS and with other operating systems; push notifications
or otherwise. Some additional details around the app requirements are
necessary for a more meaningful answer.
All of these different applications are good ones. Or perhaps you just
want to serve a web page showing what system applications are running and
which are not, directly from the server running the applications. Or maybe
you want your print server or batch machine to show users what's in the queue.
These are all applications for which I might want a lightweight server running
on a big VMS machine.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
David Froble
2017-02-10 21:24:02 UTC
Permalink
Post by Scott Dorsey
Post by Stephen Hoffman
Post by Scott Dorsey
Does it have SSL?
Well, then it's too heavyweight. No good, I want something smaller.
Why bother with http? Use a telnet server, or maybe snmp?
Because all the kids want to use web browsers for everything.
Post by Stephen Hoffman
But it
really seems you might be looking for assistance with something akin to
IoT, so why not look there? Contiki or Riot or TinyOS or OpenWSN or
FreeRTOS or other options are available, and may or will serve your
requirements better? Or you're working with massive network loads
and IoT-style security requirements and there are approaches for doing
that with OpenVMS and with other operating systems; push notifications
or otherwise. Some additional details around the app requirements are
necessary for a more meaningful answer.
All of these different applications are good ones. Or perhaps you just
want to serve a web page showing what system applications are running and
which are not, directly from the server running the applications. Or maybe
you want your print server or batch machine to show users what's in the queue.
These are all applications for which I might want a lightweight server running
on a big VMS machine.
--scott
Thing is, none of the operations are all that difficult, if you're willing to
write a bit of code. Much easier if SSL isn't thrown into the mix. But, what
they are is unique. A bit tougher to provide a generic tool to do unique stuff.
You'd need to have verbs the tool understands, and be able to associate the
verbs with perhaps some custom code, DCL, or whatever.

I guess such a tool could be set up, where a list of verbs, associated with a
program or command file to run, and what filename holds the results for sending
back to the client.

Ya know, like a web server ....

:-)
Stephen Hoffman
2017-02-10 22:22:04 UTC
Permalink
Post by Scott Dorsey
Post by Stephen Hoffman
Post by Scott Dorsey
Does it have SSL?
Well, then it's too heavyweight. No good, I want something smaller.
Why bother with http? Use a telnet server, or maybe snmp?
Because all the kids want to use web browsers for everything.
Increasingly HTTPS, too.
Post by Scott Dorsey
Post by Stephen Hoffman
But it really seems you might be looking for assistance with something
akin to IoT, so why not look there? Contiki or Riot or TinyOS or
OpenWSN or FreeRTOS or other options are available, and may or will
serve your requirements better? Or you're working with massive
network loads and IoT-style security requirements and there are
approaches for doing that with OpenVMS and with other operating
systems; push notifications or otherwise. Some additional details
around the app requirements are necessary for a more meaningful answer.
All of these different applications are good ones. Or perhaps you just
want to serve a web page showing what system applications are running
and which are not, directly from the server running the applications.
Or maybe you want your print server or batch machine to show users
what's in the queue.
You're definitely following a path similar to that of IoT, at least
around the lack of security.

Have fun, and expect to learn a lot.
Post by Scott Dorsey
These are all applications for which I might want a lightweight server
running on a big VMS machine.
So use HTTPS, and call back if there's too much load?

Wouldn't be surprised to see TLS overhead much lower in comparison to
the file I/O latency and particularly against the usual slowness of a
browser being operated by a carbon unit, premature optimizations and
all, but I digress.
http://stackoverflow.com/questions/149274/http-vs-https-performance#149397


I'd certainly prefer a much easier API for TLS and networking and
service discovery and certificate verification and related, but then
I've already commented around that.
--
Pure Personal Opinion | HoffmanLabs LLC
John Reagan
2017-02-10 22:30:17 UTC
Permalink
Post by Stephen Hoffman
Post by Scott Dorsey
Post by Stephen Hoffman
Post by Scott Dorsey
Does it have SSL?
Well, then it's too heavyweight. No good, I want something smaller.
Why bother with http? Use a telnet server, or maybe snmp?
Because all the kids want to use web browsers for everything.
Increasingly HTTPS, too.
Post by Scott Dorsey
Post by Stephen Hoffman
But it really seems you might be looking for assistance with something
akin to IoT, so why not look there? Contiki or Riot or TinyOS or
OpenWSN or FreeRTOS or other options are available, and may or will
serve your requirements better? Or you're working with massive
network loads and IoT-style security requirements and there are
approaches for doing that with OpenVMS and with other operating
systems; push notifications or otherwise. Some additional details
around the app requirements are necessary for a more meaningful answer.
All of these different applications are good ones. Or perhaps you just
want to serve a web page showing what system applications are running
and which are not, directly from the server running the applications.
Or maybe you want your print server or batch machine to show users
what's in the queue.
You're definitely following a path similar to that of IoT, at least
around the lack of security.
Remember, the "S" in IoT stands for security.
David Froble
2017-02-10 23:46:05 UTC
Permalink
Post by John Reagan
Post by Stephen Hoffman
Post by Scott Dorsey
Post by Stephen Hoffman
Post by Scott Dorsey
Does it have SSL?
Well, then it's too heavyweight. No good, I want something smaller.
Why bother with http? Use a telnet server, or maybe snmp?
Because all the kids want to use web browsers for everything.
Increasingly HTTPS, too.
Post by Scott Dorsey
Post by Stephen Hoffman
But it really seems you might be looking for assistance with something
akin to IoT, so why not look there? Contiki or Riot or TinyOS or
OpenWSN or FreeRTOS or other options are available, and may or will
serve your requirements better? Or you're working with massive
network loads and IoT-style security requirements and there are
approaches for doing that with OpenVMS and with other operating
systems; push notifications or otherwise. Some additional details
around the app requirements are necessary for a more meaningful answer.
All of these different applications are good ones. Or perhaps you just
want to serve a web page showing what system applications are running
and which are not, directly from the server running the applications.
Or maybe you want your print server or batch machine to show users
what's in the queue.
You're definitely following a path similar to that of IoT, at least
around the lack of security.
Remember, the "S" in IoT stands for security.
Is that a silent "S" ?

:-)
Bill Gunshannon
2017-02-11 02:23:51 UTC
Permalink
Post by David Froble
Post by John Reagan
Post by Stephen Hoffman
Post by Scott Dorsey
Post by Stephen Hoffman
Post by Scott Dorsey
Does it have SSL?
Well, then it's too heavyweight. No good, I want something smaller.
Why bother with http? Use a telnet server, or maybe snmp?
Because all the kids want to use web browsers for everything.
Increasingly HTTPS, too.
Post by Scott Dorsey
Post by Stephen Hoffman
But it really seems you might be looking for assistance with
something akin to IoT, so why not look there? Contiki or Riot or
TinyOS or OpenWSN or FreeRTOS or other options are available, and
may or will serve your requirements better? Or you're working
with massive network loads and IoT-style security requirements and
there are approaches for doing that with OpenVMS and with other
operating systems; push notifications or otherwise. Some
additional details around the app requirements are necessary for a
more meaningful answer.
All of these different applications are good ones. Or perhaps you
just want to serve a web page showing what system applications are
running and which are not, directly from the server running the
applications. Or maybe you want your print server or batch machine
to show users what's in the queue.
You're definitely following a path similar to that of IoT, at least
around the lack of security.
Remember, the "S" in IoT stands for security.
Is that a silent "S" ?
:-)
Like the Open in OpenVMS. :-)

bill
Paul Sture
2017-02-11 10:04:14 UTC
Permalink
Post by Bill Gunshannon
Post by David Froble
Post by John Reagan
Remember, the "S" in IoT stands for security.
Is that a silent "S" ?
:-)
Like the Open in OpenVMS. :-)
It's the reverse of the Open in OpenVMS in that it's pronounced
but not written.

Insert "Shi" before the "T" to get the pronounced version.
--
A supercomputer is a device for turning compute-bound problems into
I/O-bound problems. ---Ken Batcher
Scott Dorsey
2017-02-11 16:57:06 UTC
Permalink
Security is a bunch of things. If you have data that you're putting onto a
web server, confidentiality is likely not a big deal. If it IS a big deal,
perhaps the flat open web server is not the right tool for the job.

If you have a flat, passive web server just serving out files, your main
worry is data integrity, and to prevent other people from somehow hijacking
the incoming connection to the web server.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
Stephen Hoffman
2017-02-11 18:23:48 UTC
Permalink
Post by Scott Dorsey
Security is a bunch of things. If you have data that you're putting
onto a web server, confidentiality is likely not a big deal. If it IS
a big deal, perhaps the flat open web server is not the right tool for
the job.
If you have a flat, passive web server just serving out files, your
main worry is data integrity, and to prevent other people from somehow
hijacking the incoming connection to the web server.
Ayup. That certainly depends highly on the information being served.
This determination can sometimes be quite subtle, too. Even
commonly-available data can sometimes be exceedingly sensitive to the
folks browsing the site, for instance. If somebody start looking up
specific medical conditions, for instance? Maybe that comes back to
haunt the browser? Same for surfing available data that might be
trouble in the particular geography for the browser. It's not just
the data, it's also the metadata. Then there's the fun of the HTTP
ad injection and the connection monitoring and tracking that's
increasingly arising. Or the case when somebody later modifies the
site and adds PUT or UPDATE into the interface vernacular, or sensitive
data into the parameters or such, and doesn't think through the
consequences.

Outside of something akin to an IoT device with no provision to
generate and load a unique certificate — and with full knowledge of
what a mess those IoT devices can increasingly cause — I see very
little reason not to encrypt all web connections. Rule of thumb:
encrypt it, and preferably with PFS. With OpenVMS servers involved,
there's usually little reason not to encrypt the data. There are also
encryption assists available in x86-64 processor hardware from Intel
and AMD, too. https://en.wikipedia.org/wiki/AES_instruction_set et al.
--
Pure Personal Opinion | HoffmanLabs LLC
Stephen Hoffman
2017-02-10 16:24:26 UTC
Permalink
Post by u***@gmail.com
My dream of running TCPware Purveyor webservers on x86 would become a
reality. Time to ditch that unix apache garbage and run an unbeatable
combo that could rule the world! :)
purveyor doesn't have ssl, news to me I used it all the time.
I'd wager that Purveyor web server will fail one of the better-known
TLS security checks.

https://www.ssllabs.com/ssltest/

(I don't have a Purveyor instance handy to test with, or I'd post the
details here. And I'm not inclined to go Shodan and test without
permission.)
--
Pure Personal Opinion | HoffmanLabs LLC
Hunter Goatley
2017-02-25 17:12:19 UTC
Permalink
There are tons of reasons that Purveyor was retired a very long time
ago. It didn't even support virtual hosting, pretty much a requirement
for anyone running a website today.

I can assure you that Purveyor, while a great product in its time, isn't
coming back.

WASD is the way to go....
--
Hunter
------
Hunter Goatley, Process Software, http://www.process.com/
***@goatley.com http://hunter.goatley.com/
Loading...