
Show HN: Warp – Secure and simple terminal sharing - spolu
https://github.com/spolu/warp?attempt=8
======
siliconc0w
Cool tool but in the Readme you should probably explain a little bit 'how it
works' rather than just 'how to work it'. In this case, I imagine it needs to
connect to and trust some outside coordinating service run/owned by someone
(you?).

~~~
efficax
I agree. This tool is pretty cool but I was a bit confused about how it could
work since it just "worked" without prompting for a server. Looking at netstat
it looks like warp connections are handled by connecting to an ec2 instance at
ec2-35-162-152-151.us-west-2.compute.amazonaws.com, on port 4242.

~~~
spolu
Thanks! Great feedback. I'll make sure to make it clearer.

------
joeyh
I recently built [https://debug-me.branchable.com/](https://debug-
me.branchable.com/) which also does quick and easy terminal sharing, but with
the addition of a cryptographically secure proof of what was done in the
session, rooted at the gpg key of the person who connected to it.

~~~
ecma
Just say that it's a signed log of the session. "Cryptographic proof" isn't
necessarily incorrect but it has other connotations which don't make any sense
here and make it sound like it's doing something it's not (think cryptanalysis
or ZKPs).

------
dakra
Another good open source terminal sharing service is
[https://tmate.io/](https://tmate.io/)

This gives you 2 ssh addresses (read only and read write) that you can send
out.

------
SparkyMcUnicorn
I've been using [https://www.teleconsole.com/](https://www.teleconsole.com/)
from the team behind teleport. It has Linux, MacOS, FreeBSD, x86_64 and ARM7
support.

This looks like a great project and I'll be keeping my eye on it, but there's
no reason for me to switch to this and lose out on features.

It's open source, and you can even set up your own proxy so you don't need to
rely on gravitational's servers.

~~~
sillysaurus3
It's a bit rude to post alternatives in someone's Show HN without also giving
ideas on how to improve their product (e.g. which features specifically would
you be missing out on?)

I guess it's not so much the posting of alternatives, but you're really
selling that particular alternative. It'd be nice for Show HNs to be less
cutthroat.

~~~
codezero
I've never heard this. I always find relevant alternatives in HN comments as
helpful, allowing people to compare and contrast different features and
functionality.

I also don't see anything in the guidelines about this kind of thing, has a
mod commented about it before?

~~~
sillysaurus3
Again, it wasn't about the posting of the alternative. It was the casual
dismissal plus the lack of any useful feedback.

This wasn't a Show HN when the comment was posted, though, so it's a moot
point.

~~~
spolu
The datapoints are definitely interesting. Thanks for sharing what you use!

------
ecma
Can someone explain the actual use of sharing a terminal with someone while
not being in person with them (in which case they could just watch you and
shotgun the keyboard?)? I can't imagine watching someone else's terminal
session without them talking about what they're doing and why would be
particularly informative or help with onboarding. Maybe it's just one of those
things that work for some people and not others?

~~~
viraptor
You call them. You don't need to literally sit next to them to hear them.

~~~
spolu
Yes this is intended to be used with an audio link.

------
confounded
Why no explicit Linux support?

------
m-j-fox
The feature I'd suggest for any peer-to-peer application such as this is some
kind of firewall punching. It generally requires a 3rd-party on the internet.
To avoid running services for a low-bandwidth application like this, maybe it
could tunnel through a public IRC server or other public chat system.

------
fiatjaf
Does it relate somehow to Joey Hess's debug-me[1]?

[1]: [https://joeyh.name/blog/entry/announcing_debug-
me/](https://joeyh.name/blog/entry/announcing_debug-me/)

------
ilaksh
Is this better than gotty?

------
troydavis
How many times is it reasonable to submit the same URL to HN?

This link is to
[https://github.com/spolu/warp?attempt=8](https://github.com/spolu/warp?attempt=8).
If one needs to add an "attempt" HTTP parameter to track submissions of the
same URL, and this is the 8th attempt, that seems like way too many.

Here's a few prior identical submissions by the same person:

1:
[https://news.ycombinator.com/item?id=14398392](https://news.ycombinator.com/item?id=14398392)
(ie,
[https://github.com/spolu/warp?attempt=1](https://github.com/spolu/warp?attempt=1))

4:
[https://news.ycombinator.com/item?id=14407813](https://news.ycombinator.com/item?id=14407813)

6:
[https://news.ycombinator.com/item?id=14452505](https://news.ycombinator.com/item?id=14452505)

If 8 isn't too many, what is? 20? Submit the same link every day indefinitely
until it reaches the front page?

~~~
derefr
If something had enough inherent interestingness to end up at the #1 position
(as this submission is right now), then I'd argue that its taking a number of
attempts to do so is an indictment of the ranking algorithm for burying it
before, rather than an indictment of the author for persisting.

Certainly, if someone persists in trying and the thing just _never_ gets
popular, that's just spam. But if "the right timing" was all that was needed
to cause the sumission to hit #1? Maybe "the right timing" needs to be a
concept built into the submission queue.

~~~
troydavis
It's an interesting question. I could see it being a mix of that and a poor-
quality ranking algorithm, so that it's too easy for articles to end up
buried.

Most examples of this are one person submitting daily articles from their own
site or sites they're paid to market. Sometimes even those end up near the top
of the front page, and often when that happens, if one looks at prior
submissions from that same person and site, the article that made the front
page seems like it would do worse than prior articles.

I could see all of this as an indicator that the ranking/voting doesn't do a
great job of letting interesting stuff get a shot, nor of penalizing folks who
constantly submit posts on their own site (for months - different than this
situation). The "New" page is easy enough to ignore that I could imagine few
visitors looking at it regularly, so the profile of visitors to that page is
different than to the home page.

------
tjoff
I really like that it goes against the current cancer we are experiencing on
the internet. That is,

* You don't need to rely or surrender to the cloud.

* Neither you nor the clients need to create an account (or worse, require a google/facebook account).

~~~
jdormit
> You don't need to rely or surrender to the cloud

I would imagine that this goes through someone's server. It would be helpful
if the readme gave a little more detail about how this works.

~~~
city41
Looking at the source code suggests it is peer to peer. The code for daemon
indicates you need to specify what address and port to listen on when starting
up, and there is code about receiving incoming clients.

[https://github.com/spolu/warp/blob/master/daemon/cmd/warpd/m...](https://github.com/spolu/warp/blob/master/daemon/cmd/warpd/main.go#L22)

~~~
lilactown
This is false. There has to be some way to resolve the name used (e.g. in the
example, `warp connect goofy-dev` is used) to an IP address.

Looking through the source code, I've found these lines:

[https://github.com/spolu/warp/blob/master/client/command/con...](https://github.com/spolu/warp/blob/master/client/command/connect.go#L107)
[https://github.com/spolu/warp/blob/master/client/command/con...](https://github.com/spolu/warp/blob/master/client/command/connect.go#L156)
[https://github.com/spolu/warp/blob/master/protocol.go#L13](https://github.com/spolu/warp/blob/master/protocol.go#L13)

It looks like it defaults to connecting to `warp.link:4242`. I can't tell if
it's routing the entire connection through warp.link or if it's just resolving
the name to an IP address that then connect directly (I don't know Go very
well).

~~~
comboy
Given that it's not explicit in the readme, not that easy to find in the code,
and repeatedly posted to HN I would assume malicious intent and stay away from
it.

Assuming no malicious intent, not disclosing anything about it in the readme
suggests not very security oriented mindset and therefore it's likely just not
secure enough to use.

