[phkamp]

I have a really hard time following your argumentation, because it seems to have very little to do with both reality and what I wrote.

What I did WRT moving people closer to the finish line was to implement the PROXY protocol, so that using a(ny) preexisting and well-tested SSL-termination solution works seamlessly with Varnish.

IMO, that is a far superior solution to adding a lot of security critical code to Varnish which, at the end of that huge effort, doesn't work any better.

As I wrote in my piece: "the world really don't need another piece of code that does an half-assed job at cryptography"

And doing a full-assed job only makes sense if you have the resources, competence (important with crypto!) and the result makes a positive contribution, one way or another, which offsets the cost of its production.

Nobody has yet been able to point out what the positive contribution would be, compared to a solution where SSL termination is its own layer.

Do you know something about that which I don't ?

If so, please share...

[tacos]

You did a little work, avoided doing a lot more work, and justified it with "more components = better." Fine. Not the only approach but certainly not a radical one either.

You could have stopped there. My feeling is that you should have.

But the rant part of your post? Evoking HeartBleed and "I told you so" and Snowden and digs on BSD and "big transnational, and therefore law-less, companies." Well, that makes you look a little wacky.

By doing this you attracted unnecessary attention to yourself (perhaps the point) but also generated no positive goodwill for the product. Worse, it made me question the motivations behind the technology decision.

It's not a good tech post and it's not a good marketing post.

As I stated, there are people who do this sort of thing well. Your post is an example of not doing it well.

[stephenr]

> You did a little work, avoided doing a lot more work, and justified it with "more components = better." Fine. Not the only approach but certainly not a radical one either.

Your interpretation of this is ridiculous.

You may as well dismiss Linux because the kernel doesn't include an ANSI SQL compliant database and runtime environment for perl, ruby, python and php.

There is immense value in having several small, specialised tools that can be used together to form a solution.

[tacos]

Likewise there is immense value in having a simpler solution with fewer parts -- when appropriate and when possible. This is part of what we decide as engineers.

It's also easier to sell someone on your component strategy when you don't trash every possible piece that could plug in to the hole you've left -- from operating systems and open source crypto packages to government agencies and transnational corporations. But that little observation seems to be getting lost in the noise here.

[phkamp]

So we have established that your factual knowledge of varnish is severely lacking (and/or skewed) and now you just demonstrated that you have no idea who you are lambasting either.

Let me know if you ever want to have a fact-based discussion, in the meantime, don't get cold up there, on your high horse.

I gave a talk called "NSA Operation Orchestra" some time ago, I recommend you watch it, it might give you something to think about.

[tacos]

See, that's just the thing. I tuned Varnish for 32 bit machines (a terrible idea), I sent in patches. I love everything about OpenBSD. I think the NSA are a bunch of cocksuckers. And I also think that when you combine all those things in a post talking about a feature decision it makes you look like a lunatic. Talk to Percival, he gets it. And thank you for the work on Varnish, it seriously saved several sites.

[phkamp]

So what you're saying is that because you disagree with me, I'm a terrible person ?

Needless to say, I don't agree.