[tacos]

Actually the trick is to pick software that meets the needs of the technical problem at hand.

Getting a read on where the product is headed -- by being aware of corporate motives or by reading developer's ranty blog posts -- can be part of the strategy. Percival, Torvalds, Fried -- I kinda know what to expect from them moving forward.

This guy is playing a similar game but not doing it right.

[stephenr]

I agree with what you said about picking the right tool for the job, but I don't see how he's "not doing it right"

I 100% agree with the view that caching and tls termination/load balancing are two different tasks, suited to two different tools.

The stated reason for this approach is keeping the existing excellent solution, from becoming worse without any real gain.

Yes the author has stated views about the use of tls "everywhere" - specifically because varnish doesn't handle tls, those opinions don't affect the tool at all.

Edit: s/told/tls/ damn you autocorrect!

[tacos]

I'm all for reducing complexity but ignoring the bigger problem so you can focus on a smaller one isn't necessarily the path.

Customers are trying to solve a pretty basic, common problem here. I don't see how a ranty, opinionated position paper moves anyone closer to the finish line.

All it did was further influence my opinion of where Varnish would likely be in five years. While I appreciate the candor I'm not sure he did himself any favors.

[phkamp]

I have a really hard time following your argumentation, because it seems to have very little to do with both reality and what I wrote.

What I did WRT moving people closer to the finish line was to implement the PROXY protocol, so that using a(ny) preexisting and well-tested SSL-termination solution works seamlessly with Varnish.

IMO, that is a far superior solution to adding a lot of security critical code to Varnish which, at the end of that huge effort, doesn't work any better.

As I wrote in my piece: "the world really don't need another piece of code that does an half-assed job at cryptography"

And doing a full-assed job only makes sense if you have the resources, competence (important with crypto!) and the result makes a positive contribution, one way or another, which offsets the cost of its production.

Nobody has yet been able to point out what the positive contribution would be, compared to a solution where SSL termination is its own layer.

Do you know something about that which I don't ?

If so, please share...

[tacos]

You did a little work, avoided doing a lot more work, and justified it with "more components = better." Fine. Not the only approach but certainly not a radical one either.

You could have stopped there. My feeling is that you should have.

But the rant part of your post? Evoking HeartBleed and "I told you so" and Snowden and digs on BSD and "big transnational, and therefore law-less, companies." Well, that makes you look a little wacky.

By doing this you attracted unnecessary attention to yourself (perhaps the point) but also generated no positive goodwill for the product. Worse, it made me question the motivations behind the technology decision.

It's not a good tech post and it's not a good marketing post.

As I stated, there are people who do this sort of thing well. Your post is an example of not doing it well.

[stephenr]

> You did a little work, avoided doing a lot more work, and justified it with "more components = better." Fine. Not the only approach but certainly not a radical one either.

Your interpretation of this is ridiculous.

You may as well dismiss Linux because the kernel doesn't include an ANSI SQL compliant database and runtime environment for perl, ruby, python and php.

There is immense value in having several small, specialised tools that can be used together to form a solution.

[tacos]

Likewise there is immense value in having a simpler solution with fewer parts -- when appropriate and when possible. This is part of what we decide as engineers.

It's also easier to sell someone on your component strategy when you don't trash every possible piece that could plug in to the hole you've left -- from operating systems and open source crypto packages to government agencies and transnational corporations. But that little observation seems to be getting lost in the noise here.

[phkamp]

So we have established that your factual knowledge of varnish is severely lacking (and/or skewed) and now you just demonstrated that you have no idea who you are lambasting either.

Let me know if you ever want to have a fact-based discussion, in the meantime, don't get cold up there, on your high horse.

I gave a talk called "NSA Operation Orchestra" some time ago, I recommend you watch it, it might give you something to think about.

[tacos]

See, that's just the thing. I tuned Varnish for 32 bit machines (a terrible idea), I sent in patches. I love everything about OpenBSD. I think the NSA are a bunch of cocksuckers. And I also think that when you combine all those things in a post talking about a feature decision it makes you look like a lunatic. Talk to Percival, he gets it. And thank you for the work on Varnish, it seriously saved several sites.