Hacker News new | past | comments | ask | show | jobs | submit login
The gimp.org domain has expired (gimp.org)
156 points by danr4 on Aug 6, 2015 | hide | past | favorite | 92 comments


Domains have a renewal grace period. Since it expired recently, they'll be fine.

Can the headline be changed to reflect the fact that it expired and wasn't "poached"?

Seconded, since the registrar has to provide a grace period, but can still redirect the expired domain to any place they like.

Edit: Not any place you want actually...

Per ICANN if domain is made innactive the page that it points to if it points to a page (it doesn't have to you can just put the name on hold) needs to describe how to get the domain back. Once again that's only if a page is displayed displaying a page is not required.


"2.2.4. In interrupting the DNS resolution path of the registration, if the registrar directs web traffic to the domain name to a web page while the registration is still renewable by the RAE, that web page must conspicuously indicate that the domain name registration is expired and provide renewal instructions."

And how often is this enforced? Does the registrar actually face anything punitive for doing what's been done here?

Good question. ICANN does audits where they cherry pick some domains and say "show me what the fuck happened in logs and prove you did the right things". However the audits are every 3 years or so and the domains are just random pickings. So it's up to a registrant that is wronged to file a complaint and then ICANN says something to the registrar and the registrar says something back and they close the case kind of like a residential noise complaint where the cops come out when called. There really aren't any minor punitive actions per se other than revoking accreditation which is major. And you would be correct in assuming that would be rare and ICANN first gives every chance for a registrar to correct the wrong doing. So you could in theory get away for this for years and if and when caught you would just get your act together and fix things up.

Note: I have been dealing with ICANN since the start and they tend to be pretty cool and fair with registrars but they do take complaints seriously and do follow up on them. Creates a ton and a pain of paperwork for registrars so that really is the negative to not complying in a way.

Thanks, we've updated the title.

This is exactly why we created a domain name/ssl reminder tool: http://www.expirify.com. A really easy mistake to make and very costly, I hope they get it back

Shouldn't the registrar do that? Namecheap sends me multiple emails when any of my domains is about to expire, it's just common business sense.

1&1 and gandi both offer automatic renewal. In fact I don't think I would use a registrar that didn't offer that.

More likely what happened was that the guy who was incharge disappeared and/or his credit card number changed. And when the registrar tried to renew - it couldn't and I'm sure sent tons of emails of "HEY YOU NEED TO FIX THIS". Something similar almost happened to CentOS.

Most of them offer automatic renewals--they love customers that click automatic renewals. Godaddy literally changes your setting to automatic renewal.(This would be a good class action lawsuit--for such a classy company?)

The problem with automatic renewals is its fine if you just have one domain. If you have a lot of domains it makes financial sense to shop around? I've always gone with the cheapest registrar(that I feel will be around in a year, or two), and never had a problem. Personally, I heard a long time ago the true cost of registering a domain is around $7.49. I don't know if that's correct? I don't like to pay much more than that per year--just on principal.

Since, people are throwing around companies, Google domains are $10 bucks a year/with free privacy. (At least they were a few months ago?) Godaddy did away with renewal discount codes; I see no reason to use that company anymore?

Namecheap and GoDaddy also offer auto renewal. I've never heard of auto renewal not being offered.

Hover as well.

I've been with Gandi for years, absolutely love them

So far it's been rocky with me. I had a VM that I used with what I think is called GandiFlex (I set it to lower the memory during the night and increase during the day) and apparently when my VM tried to scale up the hypervisor didn't have enough memory and for some reason failed to migrate the VM to another hypervisor. This left my VM offline for many hours until I noticed it.

Gandi's customer support official response "don't use it". Gandi's management response "you are right - we don't have enough monitoring and are looking into it". With no follow ups.

At least they credited me, generously, for their latest outage in their US datacenter.

The registrar part of Gandi (their historical business) is very, very good. The hosting part (more recent business) slightly less so.

Some domain registrars send postal notices. However they don't charge discount pricing.

The registrar does indeed do that, but only to the owner of the account. What if say you work in an agency and the person who setup the account has left? We created Expirify because we missed an SSL certificate renewal notice because it was sent to somebody who no longer worked with us...

This is actually mandatory for gTLDs:


Just a heads up, your DNS took a long time to resolve for me. You appear to have an invalid nameserver (ns3.gridhost.co.uk) listed at the root.


Thanks r1ch! I'll get that sorted :)

It looks like the service is free. How do you make money on the site?

You could be somewhat sinister and register domains that have been submitted but not renewed and offer to transfer them back for a fee.

If you only offer it to the original owner and the fee isn't particularly exorbitant, say $10 - $100, it might not even be sinister. Wouldn't you rather pay the slightly inflated renewal than deal with someone who's asking 5 - 6 digits?

The service is currently free, there's a bunch of ways we might monetise it but for now we're happy putting out there to see how people get on with it.

How is this necessary if there is a grace period after a domain expires?

It is still better to act early than having someone else squatting your address for a few days.

See above comment from icebraining

> Some people manage dozens, or even hundreds of domains. It's quite common in the "custom website design" world for the company (often a small agency) to manage the hosting of the site and domain.

You can't use your domain in grace period until you pay. It gets redirected.

With ICANN registrars, that is true.

DENIC, for example, (which operates seperately and has their own, incompatible WHOIS system), operates .de differently:

After your domain ran out, it will get "locked", all DNS settings will be locked they were before, and you get a letter or an SMS. The domain will stay locked for 2 weeks, during that you can enter the code from the SMS or letter on a website to move the domain to another registrar or delete the domain.

If you don’t react at all, after 2 weeks, the domain goes into TRANSIT. It still stays locked, but now you get actually billed for it, until you enter the code or delete the domain.

Essentially, with DENIC, the domain stays locked until you decide to delete it or move it to another registrar.

You can also disable the TRANSIT, in that case, if the domain runs out, after 2 weeks grace period of being locked it actually runs out.

Remember: Not all NICs operate like ICANN.

Easy? Really? I get that you are offering a service, but I can guarantee that if there were something as fundamentally and existentially important as securing my domain name, it would not be an easy thing to forget to do. I can't even begin comprehending how one forgets to do such a thing.

Some people manage dozens, or even hundreds of domains. It's quite common in the "custom website design" world for the company (often a small agency) to manage the hosting of the site and domain.

Yep, that was exactly the use case we built it for. We scratched our itch. When you've got a group of people all managing domain names/SSL certs for various customers it's very easy to lose track of one.

Not poached, but definitely now in the 30-day grace period[1].

[1] https://www.dotster.com/domains/faq.bml

We should stop using the domain name system to name web pages and email addresses. It is too vulnerable to legal attacks, extralegal attacks, and simple human error.

There are a bunch of decentralized possibilities out there: IPFS, Tahoe-LAFS, MaidSafe, and so on. None of them are ready yet, except (for some purposes) FreeNet and Tor Onion Services, and it's going to be a lot of work to get them to work, and probably some of them are simply unworkable. But this is a really, really important problem to solve, and it's solvable.

Excellent plan.

Now we only need to worry about the small matters designing an alternative system that acheives what the domain name system does without those draw-backs, and convincing people to use the new system...

There is one, and its called search. People are getting used to ask the search engine on their phones and tablets for finding websites, so the big engineer problem is remaking the service into private instances which isn't controlled by google or apple.

There are many circumstances where direct linking is needed, including from outside the system (posters, business cards) - search doesn't work for that.

Even if you go for something like QR codes you want a method that doesn't rely on encoding the fixed network address of a resource (as fixed addresses are usually not as permanently static as they are initially intended).

So on your business card instead of putting your name@domain you can just put "Hey! To find me just google 'my name at my long company name'" and people will end up in the right website, right? And what about email?

Put a QR code of your public key or public key hash on your business card, like the one in http://www.openbsd.org/papers/bsdcan-signify.html. You really only need about 80 bits.

It's true that people find things by googling them, and so it usually doesn't really matter if a hostname is www.gimp.org or eqt5g4fuenphqinx.onion, while it does really matter that the search link via www.gimp.org can break suddenly for no good reason. It also matters that the pages at eqt5g4fuenphqinx.onion are dependent on a server operator.

How would hyperlinks work in this model? If I have a hyperlink "This is an awesome program" that links to gimp.org, how is search going to help if gimp.org goes away?

If we look at how people currently share links in social media then url shorterners are very common in use. That would point towards either local or centralized services providing the share-ability of links which would translate between a local address and a global name which may simply be a hash string. There are also QR codes and magnet links which neither rely on a domain name service to operate, but which are used by people to share the address identification for a resource.

They are not trivial solutions to the problem, but the fact that they are in use makes its plausible that a solution can be found.

The hyperlink URL text could contain a secure hash of the gimp.org home page. Or a revision number and the hash of a public key used to sign gimp.org home page revisions. Or of a document containing three public keys, the majority of which need to sign a home page revision for it to be considered a valid value for the link. Or, as in onion services, the hash of the public key of the server hosting the document, along with a document path to send to that server when you manage to reach them. Or a name unique within a certain namespace, and a public key used to sign new versions of the document listing the name-hash mappings for the latest version of the namespace. And maybe a list of IPv4:port pairs to contact to ask for the document. Or the name of a decentralized pub-sub channel where versions of the page are periodically announced — maybe the Bitcoin blockchain. There are lots of possibilities.

"The hyperlink URL text could contain a secure hash of the gimp.org home page. Or a revision number and the hash of a public key used to sign gimp.org home page revisions."

That would help to make sure you got the right page, but wouldn't help you find it.

Your other suggestions (e.g. a list of IP addresses/ports) are basically just reimplementing DNS, but with more complexity. :-)

With more or less complexity (although that statement makes me suspect you’ve never administered BIND) — but with different failure characteristics! And hopefully better ones.

Seems insanely sensitive to fraud and pretty much impossible to implement, in a usable way, on the same scale as current DNS.

I like your idea, contact me at a930e4bc4ff969fe52437f14b50535ae908683af and we'll discuss next steps :)

No matter what system you will come up with, it will always be vulnerable to the actors trying to game the system. Like with many other cases, I think we're making the same mistake airport security does - focusing on last year's threats. We need to put more effort into winding ways to punish assholes (the technical term would be "defectors").

You don't have to be an asshole to forget to renew your domain name, which is probably what happened here. Or to die without heirs who care. Or to not properly maintain your RAID, which is apparently what happened at SourceFarce. Are you suggesting we should be punishing ICANN and EMC? Probably the only practical way to "punish" them is to build a system that decentralizes the control out of their hands.

I wasn't thinking about this type of problems. I was thinking about domain squatting, poaching and various ways people try to make money off people's honest mistakes.

I think that if we have a usable system that keeps the original author of a page from being able to make it unavailable, it will also probably solve those other problems.

Care to propose and develop an alternative?

Is there a good alternative idea?

I don't know about "good", but there are Namecoin, based on bitcoin-like blockchains, and P2P DNS, based on torrent-like protocols. Some people run alternative DNS servers, without the sanction of ICANN. TOR hidden services directories might also be evolved into something similar to a DNS competitor.

The current DNS system is based on a central service authority, which creates a monopoly on an artificially scarce resource. If the whole web went IPv6 and no web server had to share an IP with another, private address book names, shared via social connections, could handle the naming of everything out on the long tail of site popularity, and the largest sites could continue using whatever makes the most money for them. I can input names myself to attach to the phone numbers I know, and pass them to a friend with a NFC tap or message, so I could potentially also do that for IP address numbers.

I don't particularly want my ability to use the web controlled by ICANN as a single central authority, especially as I perceived the recent TLD sale as a blatant cash grab. The central authority has to be trustable, and I don't fully trust it.

Updated Date: 2015-08-06T08:16:07Z


Gimp.org domain: Created 1997-08-04 Expires 2015-08-03. So expired 3 days ago.

If it expired three days ago, isn't there a 30 day window whithin which they can still renew?

Yeah, it gets put on hold for 45 days at which time it can be renewed. If it isn't renewed with that 45 day window, then it gets listed as "expired" and the owner still has another 30 days to renew it.

Once it goes beyond these two phases, it enters into the "pending delete" phase at the end of which, it's released and open to get hijacked by someone else.

They still have plenty of time to renew it without issue.

Looks more like someone forgot to pay the domain fee

Poaching is registering a recently expired domain, usually so that you can (effectively) extort the original owner to buy it back from you.

When I go there now, I see the same site that's been there for a while: https://web.archive.org/web/*/gimp.org

So maybe it was returned to its owner?

Or maybe you are using the old IP from your DNS cache?

I don't understand registrars that don't alert you to the fact that it is going to expire. I have that registrar that everyone loves to hate and they are damn good at reminding me when to renew and not annoying me in between such times.

(as in, I have godaddy)

I'm pretty sure every registrar does this. It is in their interest: they remind you to pay so they get your money instead of some other registra getting a poacher's money.

A key problem is people not seeing the reminders. Perhaps they get lost in a sea of spam. Perhaps they get accidently calssifed as spem themselves. Perhaps the contact information for the domain isn't kept up-to-date and the reminders end up in an email account that is no longer monitored.

They're probably just moving to Sourceforge.

It looks fine to me? What are you talking about?

I get the correct gimp.org site too. whois seems to indicate Shawn Amundson as the owner, which sounds about right.

I wonder if we're part way through DNS propogation

It looks like this to me: http://i.imgur.com/qxjaDqP.jpg

Okay this is weird. It is a blank page with "Domain not active." on it.


It displays http://domainnamesales.com for me

for me it shows the page of domainnamesales.com. maybe someone forgot to extend the domain, so poached might be a little premature.

Just tried it from a work PC that hasn't been before (so fresh cache), got domain sales

I see a domain registration site.


Note to self: check gimp.org on September 3rd to see if it was renewed or not.

In all seriousness I'm pretty surprised they would let it lapse. Hopefully they pick it up within the grace period. It would suck for a bad actor to get ahold of it and offer up the gimp for download with, say, malware in it.

Well, Shawn has already renewed gimp.org.

This wasn't really surprising to me* - some months ago, when we discovered that gimpguru.org (no one from GIMP is connected to that site, btw) had expired and taken over by a third-party, we checked and discovered that gimp.org expires on 2015-08-03.

Personally, I firmly believe that useful change only happens when survivable incidents happen, so my only concern was whether gimp.org would be lost immediately it wasn't renewed before that date. But when someone pointed out the grace period, I thought "well, either it is renewed in time, or we will have discussions similar to those that happen right now, might be a good wakeup call".

* but yes, of course I was surprised when I couldn't connect to www.gimp.org anymore, in particular because I had some updates planned for the downloads pages, because I had simply forgotten about it. Dismissing it as a non-issue until something actually happens tneds to cuase this, apparently.

I get "Domain not active" so what people get may vary depending on their location.

They should have at least had a monitoring service like https://www.dotcom-monitor.com monitoring their site so they knew about the issue right away.

URL poaching is messed up.

don't be a jerk.

As others have said, I don't think it was poached, more likely it's in the 30 day grace period for a missed renewal. Hopefully they'll get it sorted soon.

And yes, domain poaching is very douche-y, and is basically extortion.

Question: Alternative download links for Mac and Windows? (No Sourcforge)

Looks like Fosshub has it: http://www.fosshub.com/GIMP.html

(to anyone who knows this: it looks to me like fosshub wants to be the anti-sourceforge, the new home for binary opensource downloads, and that they're non-evil. is this true?)

Yes we do have the GIMP binaries as we took them directly from GIMP.org - the official homepage. The files are 100% clean, feel free to download them. Thank you!

It seems legitimate, and I agree with their stance (if not their tone) in the "Controversy" section of their FAQ.

I'd love to see them put out a tool similar to Ninite, though I don't know if they have the resources to allocate for that.

Thank you for the confidence! We can assure you that our intentions are "good". As for the Ninite suggestion, unfortunately (since FossHub is NOT after the money) we don't have the financial resources to add such a tool. Maybe later. Thanks again!

May I ask why you're running the site anonymously?

Sure! We run the site anonymously for the same reason as others - keep phishing attempts away, minimize spam, increase the security by eliminating social hacking attempts and a few other reasons that are well-known by law enforcement agencies. We did tried to run without the "privacy" option enabled and we were forced to activate it. We acknowledge that this might raise some questions but as long as we deliver a trustworthy service this shouldn't matter too much for our users.

still says domain not active for me. I tried doing a control refresh but still no.

BTW, it is back up.

Great ! Now the GIMP team will use this opportunity to create their own version of a "domain". I will look & work mostly like all other domains, but just mostly. Like you will not be allowed to directy save a change to its structure...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact