Contributed by rueda on from the better-late-than-never or shut-up-and-code dept.
TL;DR - A modernised version of Undeadly is available for testing at <https://beta.undeadly.org/>. Broken features of the current site have been fixed, removed, or replaced. The new software supports - and, where appropriate, requires - HTTPS. Testing, contributions, and constructive feedback would be appreciated.
An effort to modernise the Undeadly software was initiated in response to the article Undeadly and HTTPS. This has resulted in substantially reworked software which is now available for public testing. Note that this is not the completely new system which is (arguably) needed.
Highlights of the changes include:
- HTTPS is supported everywhere, and is mandatory for activities involving sensitive information.
- (Deliberately simple) HTML5 and CSS2 are used.
- Standard HTTP error codes are used. On error in form input, the client is returned to the form and an indication of the problem(s) is given.
- Cryptography has been modernised. For example, HMAC-SHA256 (rather than SHA-1) is used for digests. An exception is the user password storage which, for backward compatibility, retains the legacy format (for now).
- Coding security has been improved:
- pledge(2), timingsafe_bcmp(3), and explicit_bzero(3) are used.
- kcgi is used for sandboxed parsing of HTTP requests.
- The broken search facility has been replaced by an archive/index and use of a search engine.
- The errata display and RSS feed have been fixed.
- Comment modes have been removed. Comments are now displayed as nested (ordered) lists [as nature intended].
- With the exception of a few minor features needed during the transition, the CGI program is no longer Undeadly-specific. User groups and their rights are now defined in the run-time configuration file. Administrators have fine-grained control of the permitted actions for different classes of user.
- Several changes have been made in an attempt to relieve the burden on readers and (especially) editors caused by comment and submitted article spam:
- Articles are closed for comment after a suitable interval.
- Article and comment contributions are accepted only from logged-in users. (If there is a legitimate need for anonymous contribution, please contact the Editors.)
- The (widely abused) "moderation" system has been removed. In its place there is now a mechanism for reporting to the Editors comments which are spammy or otherwise inappropriate.
- User contributions are parsed more strictly than previously to prevent JavaScript and style injection.
What is Requested
- Testing
- Bug reports
- Offers of assistance, particularly with:
- CSS - General aesthetic appeal and, specifically, better behaviour on small-screen/mobile devices need to be addressed. (Hitherto, the emphasis has been on development/testing rather than appearance.)
- Icons for article topics.
- Reports of spam and otherwise inappropriate comments in front page articles.
What is Not Needed
- Non-constructive criticism :-)
- Reports of spam and otherwise inappropriate comments in old articles. The Editors are aware that there are many old articles riddled with comment spam, but there is little point in attempting to address this until the articles can be closed for further comment.
(Comments are closed)
By Peter J. Philipp (pjp) on http://centroid.eu
By rjc (rjc) rjc on
Things you probably are aware of - logon, comments, search - do not work under beta.
Other than that, I like it :^)
Comments
By rjc (rjc) on
Comments
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
It's certainly up for discussion. Some of us find reversed months fairly odd-looking, but it's in the eye of the beholder. (Thanks for the feedback.)
Comments
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
Just to clarify my previous comment...
Whilst reverse-chronological order certainly make good sense for the current year, it's less clear (to me) that it make sense for earlier years - and yet, consistency is desirable.
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
As stated in the article (-:
Logon should be working. It certainly is for some of us!
Search is now fixed. (It was just a copy-and-paste error in an HTML template.) Thanks for the report!
Comments
By rjc (rjc) on
It's not working as described :^P, at least not for me :^)
> Those with CSS expertise are invited to help improve the appearance on small-screen devices.
My CSS "expertise" ended around 15 years ago (before modern "smart" devices) so I won't be much help here I'm afraid :^(
> Commenting is available only to logged-in users.
>
> Logon should be working. It certainly is for some of us!
Let me elaborate - after clicking on "Login", I'm being presented with "Username" and "Password" from and after entering my details, it "seems" to be working, i.e. it certainly produces an error when I enter details which are deliberately incorrect. However:
- I still see the "Login" link.
- "Logout" or "Preferences" links, like on the "old" (regular) site, are nowhere to be found.
- I don't see any way to post a comment.
> Search is now fixed. (It was just a copy-and-paste error in an HTML template.) Thanks for the report!
Well, it may "work" but doesn't produce any results ;^)
Thanks for breathing life back into it :^)
Comments
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
Are you accepting cookies from beta.undeadly.org?
(As mentioned in a different reply, search engines shouldn't give results for the beta site because of robots.txt)
Comments
By d. c. (d.c.) dc@ucw.cz on
> (As mentioned in a different reply, search engines shouldn't
> give results for the beta site because of robots.txt)
The login function is somehow weird. I was able to log in without any problems. Then (after reading full discussion) I pressed Home and found out I was logged out. After next login it seemed to ignore the login request. A browser "reload page" was needed to login again. Am I clear?
When I try to post a comment I sometimes get HTTP error 403.
Comments
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
> When I try to post a comment I sometimes get HTTP error 403.
That seems to confirm my suspicion that there's a cookie validation bug somewhere - will look into it. If you find a reliably reproducible case, please let us know!
By Edward Ahlsen-Girard (Ed) eagirard@cox.net on
<b>bold</b><br>
<i>italic</i><br>
<em>em</em><br>
<strong>strong</strong><br>
didn't work in opreview
Comments
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
Search just redirects to DDG. Search engines shouldn't find anything on the beta site because of the robots.txt file.
Will look into the HTML-checking issue - thanks.
By Anonymous Coward (norrist) norrist@gmail.com on
By brynet (Brynet) on https://brynet.biz.tm/
Not sure if I like the yellows, but maybe it's just the Warning bar that's swaying my opinion. :-)
Comments
By brynet (Brynet) on https://brynet.biz.tm/
>
> Not sure if I like the yellows, but maybe it's just the Warning bar that's swaying my opinion. :-)
Reply Subjects don't appear to get pre-populated like they do on the main site.
By SuperH (70.71.108.62) on
Will we have to create accounts to make comments, or will commenting work the same?
By Anonymous Coward (24.113.18.65) on
Comments
By Anonymous Bastard (104.223.123.98) on
Says "Anonymous Coward" ;)
By Simon Lundstrom (simmel) simmel@soy.se on
Atleast the scrolling is gone like on the old page.
Should subjects really be required on comments?
Anything but ASCII is not valid in the name, not even 8bit ASCII like åäö.
Two newlines in plain text mode should equal to a new paragraph.
Great improvement!
By Stéphane Aulery (lkppo) lkppo@free.fr on
- https://validator.w3.org/
- https://jigsaw.w3.org/css-validator/
There are yet some mistakes.
Since the DOCTYPE is HTML5, it's better to drop the "/" in single elements, because it's not an XML dialect.
Some url aren't well escaped, e.g. :
http://undeadly.org/cgi?action=article&sid=20170613041706&mode=expanded&count=18
have to be :
http://undeadly.org/cgi?action=article&sid=20170613041706&mode=expanded&count=18
You can also include the css style sheet in the head element and minify it (https://cssminifier.com/), and convert icons for article topics. to base64 and include them in HTML/CSS.
With those last changes, the browser will send only one HTTP request. Since you use almost always the same icons, it will be really fast (2x quicker).
You can see an sample there : http://saulery.free.fr/undeadly/modified.htm
I could help a little for aesthetic but I'm not webdesigner nor mobile expert.
Comments
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
> Some url aren't well escaped, e.g. :
We know :-( Programmatically-generated ones should all be OK, but manually-specified ones are problematic.
On the plus side, thanks to kcgi, we can now use: cgi?action=article;sid=20170613041706
(The other name-value pairs are dropped in this example because beta does not support comment modes.)
By Blake (78.192.104.249) on l33.fr
By Anonymous Coward (109.163.234.2) on
Assuming that your goal is to get a pretty looking website, here's some points:
1. The readability of the website is bad.
1.1. Lines should be between 60-80 CPL.
1.2. The font should be geometric sans-serif (I'd suggest Proxima Nova or something similar).
1.3. The size should be at least 16px.
1.4. The spacing between lines should be 1.4.
1.5. Background should probably not be #FFFFFF. There's some studies from W3C showing that people read better on websites with less contrast. Suggestion: bg #EEEEEE and fg #333333
2. There's no color palette. If you establish colors you can keep the visual homogeneous. I'd suggest: Primary #FFC153 , Secondary #2c3e50
3. The icons are bad. I could work on this, if needed. Most of the people today are use SVG icons, for responsiveness on mobile and big screens. If you don't want to use SVG because of compatibility issues, try to optimize the PNG icons with pngquant and ECT, to load faster.
4. Simplify the information as much as possible. I have my critics about this point, but, for accessibility, it's a good move to simplify the content using some things like Readability Formulas em these tips:
http://www.dhhs.tas.gov.au/publichealth/about_us/health_literacy/health_literacy_toolkit/suitability_assessment_of_material_score_sheet
Comments
By Damien Couderc (91.135.188.215) on
By Aaron Bieber (qbit) deftly@gmail.com on http://www.bolddaemon.com
Comments
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
At this stage, the best (only!) thing is to email the Editors.
However, it might be better to hold off for a while because there's a good chance that we will have some big changes in the near future !
By ux designer (84.47.154.6) df@g.pl on
I can see you focused mainly on improvements of the code, but please, involve some UX designer to create a nice front-end. The new UI is no different than the old UI. And remember that UX is not UI
I DO realize that the content of the articles and the code of the website have bigger priority than appearance, but it's no longer 1997, and very often we use 27-inch screens, and reading such website on a modern equipment is not very convenient - for example the lines of text are too long, typography could be better etc.
Good design can still be simple, minimalistic, convenient and elegant - all at the same time.
And... this is my first comment, and I've been reading you guys for a very long time, when "undeadly" was "deadly" - I love this community, I never complained about anything, but since now you're creating an opportunity to test the new website and express opinion, I'd like to throw in few words from myself on UX perspective.
By Salvador Fandino (salva) sfandino@yahoo.com on
2) In the "Home" section, "Read more ..." and "View" links point to the same places, one of them could (should?) be removed.
3) I find the colors picked for the buttons (green or white text over a black background) too hard, visually stressing and distracting. Maybe a style similar to that of the upper main-sections menu could be used instead.
4) In the Login page it is not possible to recover the password.
5) When posting comments using plain text, empty lines should be converted to paragraph breaks.
6) When trying to post this comment as HTML, I got the following error: "The value(s) given for the following field(s) were invalid: article/comment content". All I was doing was using some "<p>" tags.
Comments
By Salvador Fandino (salva) sfandino@yahoo.com on
On the preview page. Because once the comment is posted it renders correctly.
And 7) Comment subjects should be optional.
Comments
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
> On the preview page. Because once the comment is posted it renders correctly.
Thanks for pointing that out. Will add fixing it to the todo list.
By Anonymous Coward (178.175.138.99) on
"Articles are closed for comment after a suitable interval."
This will definitely help. Would be better to keep comments open until some time after a new article is posted, given Undeadly's history of infrequent postings.
"Article and comment contributions are accepted only from logged-in users. (If there is a legitimate need for anonymous contribution, please contact the Editors.)"
Disallowing anonymous comments will stiffle discussion significantly, given most commenters are anonymous. Anonymity helps to give people a voice where they may be afraid of persecution/isolation/segregation or accumulating disapproval just because of their opinions.
Disabling anonymous comments may not reduce the spam. I have seen many situations where spammers will register for an account and then go mad with the spam, even using many different accounts (helps bypass the CAPTCHA requirement). Unless you have good control over account registration, the restriction will just add to your administrative headache, as you have to delete the spam accounts.
Disallowing anonymous users to make articles is a different situation though, as it generally tends not to be the focus of a journal site like this.
"The (widely abused) "moderation" system has been removed. In its place there is now a mechanism for reporting to the Editors comments which are spammy or otherwise inappropriate."
Good change. You could replace it with a like/dislike system, but this may introduce a herd mentality in the comments section where people post just to seek approval from other users.
"User contributions are parsed more strictly than previously to prevent JavaScript and style injection."
A basic BBCode parser, or even just allowing some font-related HTML tags, and disallowing URL tags and other HTML, will help. Disallowing <a> links or disabling automatic URL-to-link conversion (if present) will help immensely. Genuine links will rarely be obscured in the form of <a> tags. Almost every spammer is out there to post a link to the website that they are paid to advertise, and I have found that removing the ability for them to post links such as "<a href="http://spamtastic.site/">cheap puffer fish disguises<a>" is very likely to reduce your spam problem.
You'll never stop spammers completely, but this will go a long way to help with the problem. Nobody in their right mind will copy and paste a spammy link in their browser, and many spammers rely on the "click-to-browse" style to get users onto their sites.
Comments
By Anonymous Coward (178.175.138.99) on
By Edward Ahlsen-Girard (Ed) on
> "Article and comment contributions are accepted only from logged-in users. (If there is a legitimate need for anonymous contribution, please contact the Editors.)"
I am not an editor, but I suspect one reason most comments are anonymous is people not bothering to log in.
By Anonymous Coward (73.219.58.225) on
Has IPv6 access been disabled on both the old and the beta sites?
I can only access the two sites via IPv4.
I like the new look and functionality. Thanks!
Comments
By rueda (rueda) on http://www.openbsdfoundation.org/donations.html
Unfortunately, there have been IPv6 problems outside our control recently. They just happened to coincide with the beta announcement :-(
Comments
By Anonymous Coward (73.219.58.225) on
> outside our control recently.
> They just happened to coincide with the beta announcement :-(
Thanks for the reply.
If the IPv6 problems are ongoing for a while, maybe remove the AAAA records from DNS?
By Anonymous Coward (2601:186:4403:45dc:3c5c:5627:29b2:9001) on
> outside our control recently.
> They just happened to coincide with the beta announcement :-(
Looks like IPv6 is working again. :)
By Anonymous Coward (85.191.188.210) on
Everything is a little too close together, adding a little more white space around things would really help the look.
The article text perhaps should be so close to the edge of the browser window, give it a few percent margin on each side.
The grey bar over and under the Home, Archives, About, Login and Create Account navigation isn't needed. The navigation it self could go higher up on the page, but that's personal preference.
This is for the "desktop" version", I haven't looked on mobile, nor do I particularly care how it looks there.
By David Clymer (208.76.203.180) on www.zettazebra.com
Comments
By Anonymous Coward (73.219.58.225) on
The Skeleton framework has too many calls to google for my tastes.
Comments
By David Clymer (208.76.203.180) on https://www.zettazebra.com
>
>
> The Skeleton framework has too many calls to google for my tastes.
Umm...do you even know what I'm talking about? It's CSS, and self contained. There are no references to google except for one in the *example* index.html.
Feel free to actually go look at it yourself, if you prefer.
Comments
By Will Backman (24.198.212.248) on
> >
> >
> > The Skeleton framework has too many calls to google for my tastes.
>
> Umm...do you even know what I'm talking about? It's CSS, and self contained. There are no references to google except for one in the *example* index.html.
>
> Feel free to actually go look at it yourself, if you prefer.
I had the same first impression after looking at the example. Jquery and calls to google. Thanks for straightening me out. I'll have to give it a closer look.
By Anonymous Coward (2601:186:4403:45dc:f45f:1385:b77d:b1b0) on
Thanks. I'll look again. Yes, the example page was the one where I saw google api and other references.
By Anonymous Coward (cnst) on http://cm.su/
How exactly was it widely abused? Are you talking about some of the old comments with a 0/30 vote? That's because there used to be no restriction from robots visiting these rating links at one point, so, all of them were auto-voted both up and down, left and right.
BTW, would be great to have the current source code in GIT so that folks can fork and contribute easily, especially as you claim that the code is now generic enough.