
Sponsorship needed for new OS/2 web browser (2017) - robin_reala
http://articles.os2voice.org/category/software/11-sponsorship-needed-for-new-os-2-web-browser.html
======
closeparen
OK, I understand why someone might need to maintain and deploy an OS/2 app
deep within some enterprise backend, but why on earth is anyone trying to
browse the web with it?

~~~
JdeBP
Because the likes of eComStation and ArcaOS have consumer-level tools. Both
come in business/commercial and home/personal flavours.

* [http://ecomstation.com/](http://ecomstation.com/)

* [https://www.arcanoae.com/arcaos-5-0-now-available/](https://www.arcanoae.com/arcaos-5-0-now-available/) ([https://news.ycombinator.com/item?id=14359630](https://news.ycombinator.com/item?id=14359630))

~~~
danieldk
Put differently, why would anyone in their right mind use OS/2 to browse the
web, given that it misses more than two decades in development of security
techniques. As far as I understand Mensys and now Arca Noae never had the
source code to the OS/2 kernel or foundational libraries. Given that this code
was written in the late eighties-half nineties in a largely pre-internet
world:

\- It's likely that many of the libraries are full of buffer overflows, double
frees, dangling pointers, etc.

\- OS/2 is not a multi-user system, there is no boundary between a user and a
root-like account.

\- OS/2 does not have modern mitigation techniques like (K)ASLR, probably no
PIE/PIC, stack canaries, etc.

\- OS/2 (AFAIR) does not offer sandboxing facilities, such as seccomp,
capsicum, or pledge.

\- OS/2 has no protection against recent CPU vulnerabilities.

So, if you are using OS/2 to browse the web, you are purely relying on
security through obscurity.

~~~
JdeBP
They aren't using OS/2 to browse the WWW. They are using Mozilla Firefox to
browse the WWW. In case you missed it, the headlined article even tells you
that this is version 52 of Firefox, from March of last year.

The same goes for many of these libraries that you vaguely allude to. They
aren't part of the operating system. Almost all such major programs tend to
have layers of either Unix-alike or Windows-alike libraries over the top of
the operating system API. They are third-party add-ons, presumably built from
equally recent versions.

And that goes a long way down. This isn't Unix. There is no single,
distinguished, "the" C library. Every compiler has its own C libraries.

~~~
danieldk
_They aren 't using OS/2 to browse the WWW. They are using Mozilla Firefox to
browse the WWW._

In the end there will still be calls into the Presentation Manager to render
pages on screen. Also, TCP/IP are handled through system libraries (tcp32.dll,
so32dll.dll). So, there is a large surface area where Firefox will use system
libraries.

Besides that, the web browser can have vulnerabilities and runs untrusted
code. It's pretty insane to use a browser in 2018 that doesn't execute
Javascript in sandboxed processes.

~~~
JdeBP
Mozilla Firefox not sandboxing Javascript is not an OS/2 problem. It is a
Mozilla Firefox problem.

The problems with WWW browsers are not solved on other operating systems, are
a lot more to do with a user being vulnerable to processes _running as
xyrself_ which multi-user semantics will not address on _any_ operating system
until the world starts taking advantage of GNU Hurd or nonce SIDs, and in
large part lie _within the application_.

* [http://explainxkcd.com/wiki/index.php/1200:_Authorization](http://explainxkcd.com/wiki/index.php/1200:_Authorization)

They lie in cryptography implementations, in the architecture of downloading
programs across the WWW from arbitrary third parties and running them, in the
access from one WWW site to another, in the architecture of "Web APIs" and
non-document WWW sites, in document model implementations, and so forth.
Presentation Manager and low-level sockets form almost none of this. You are
positing that the major locus for flaws is libraries that literally provide
the low-level read()/connect()/bind()/&c. library functions. Whereas the add-
on libraries that the people porting these applications have to _also_ build,
from SSL libraries through HTML parsers to PNG and MPEG processors, form a lot
of it; but are not part of OS/2 nor set in stone.

You cannot have your cake and eat it. Either OS/2 comes with this stuff and it
is a problem that the stuff is old with known vulnerabilities, or the problem
is (as indeed explained in the headlined article) that OS/2 _does not_ come
with this stuff and a large amount of effort is needed in porting all of these
modern libraries, runtimes, and even whole language development toolsets to
OS/2\. The reality is the latter. They are, after all, asking for money for
doing one part of exactly that.

But that reality means that vague handwaving about "written in a pre-Internet
world" (which it of course was not, the Internet pre-dating any version of
OS/2 by about a decade) is ill-thought. The irony is that the vast bulk of the
so-called "surface area" in a WWW browser is in all of these application
layers and libraries that are _modern_.

Or, put more glibly: I don't expect _any_ Javascript security holes in IBM
WebExplorer _ever_.

------
DonHopkins
If you really need OS/2 so bad, then why not just run OS/2 in the web browser
sandbox on top of a modern operating system?

~~~
flafla2
Exactly—modern browsers are about as complicated as OS/2 anyway.

------
mattparlane
Update: [http://articles.os2voice.org/category/voice/17-new-web-
brows...](http://articles.os2voice.org/category/voice/17-new-web-browser-for-
os2-roadmap-update-4.html)

They've raised $12,650 and think it will take around 18 months.

------
JdeBP
That's October 2017. There was a follow-on in November 2017 that answered some
questions.

* [http://articles.os2voice.org/category/voice/12-update-on-the...](http://articles.os2voice.org/category/voice/12-update-on-the-voice-browser-funding-campaign.html)

And further follow-ons as already mentioned in this discussion.

* [https://news.ycombinator.com/item?id=17461751](https://news.ycombinator.com/item?id=17461751)

------
ricardobeat
No mention of NetSurf? It’s a much simpler codebase that should be easy to
port.

~~~
classichasclass
I love NetSurf and I love that it even exists. It's fun browsing pages in a
reasonable fashion on my '060 Amiga 4000T.

However, NetSurf's DOM and JavaScript support is embryonic by comparison, and
sites other than static pages generally don't work. It's slowly improving but
it's nowhere near Gecko, WebKit or Blink.

------
mhd
So what makes Rust impossible to port to OS/2?

~~~
ofrzeta
They said "unlikely" not "impossible". I guess it is unlikely because no one
is willing to put in the massive resources needed to port Rust to an archaic
platform.

Here's a link about porting the Rust compiler to the Haiku OS: [http://rust-
on-haiku.com/wiki/PortingRust](http://rust-on-haiku.com/wiki/PortingRust)

Please note that Haiku is among the supported OSs of the LLVM compiler
framework while OS/2 isn't. So unless you want to re-create a Rust compiler
from scratch you would first need to port LLVM to OS/2.

~~~
mhd
Yeah, the backend not being available is certainly a showstopper, thanks. GCC
being ported to every silicon-based system under the sun does blind one to the
fact that that isn't necessarily true for its rivals.

~~~
_verandaguy
It probably helps that GCC was around when OS/2 and other now-archaic systems
were relevant.

------
kalleboo
eComStation and ArcaOS are commercial software, shouldn't their developers be
the ones paying for the effort to keep their clients' software cheaper to
maintain on their legacy platforms than rewriting it to something better-
supported?

~~~
zerr
Yup. I'd love to get paid for working on OS/2 apps.

~~~
kjrose
Same here. Man. That would be some serious nostalgia.

------
mhd
I wouldn't be surprised if by sheer code size _and_ tools needed, a major
browser is a more complicated me…, erm, project, than the OS+UI itself.

------
stuaxo
Lack of Rust on OS/2 is touted as a reason for not porting more modern
Firefox, I wonder if anyone has had a go at porting Rust to OS / 2?

~~~
Ygg2
Not so much lack of Rust, as lack of LLVM, that Rust needs to build.

------
JdeBP
For those wondering what Warpstock 2018 Toronto had to do with it, that is
apparently a mis-print in an article written in 2017. (-: Here is Warpstock
2017:

* [http://warpstock.org/staticpages/index.php?page=ws2017_sessi...](http://warpstock.org/staticpages/index.php?page=ws2017_sessions)

------
JdeBP
Interestingly, the SPARC people with TenFourFox suffer for the same reasons.

* [http://tenfourfox.blogspot.com/2018/07/another-one-bites-rus...](http://tenfourfox.blogspot.com/2018/07/another-one-bites-rust.html)

~~~
hsivonen
TenFourFox isn't SPARC but PowerPC. Rust runs on PowerPC but not on OS X on
PowerPC. OS X earlier than 10.7 lacks at least some thread-local facilities
that Rust expects.

~~~
sanxiyn
[https://github.com/rust-lang/rust/issues/11927](https://github.com/rust-
lang/rust/issues/11927) is the discussion when minimal OS X version for Rust
was bumped to 10.7.

------
lamarpye
Seems like if you ordered the things that needed funding, OS/2 would be near
the bottom of the list.

Maybe Gates could cough up something, just for the irony.

