undefined | Better HN

0 pointsjustmarc1y ago0 comments

It became crystal clear that cups is a can of worms, and it would be prudent to completely replace it with with a new solution built from the ground up, ideally using modern tools and standards.

0 comments

compsciphd1y ago

or just sandbox cups. There's no reason cups needs to write anything beyond its "configuration" and its "print spool". And hence, shouldn't have access to anything beyond what it needs to configure itself and print.

thing like cups should be easy to sandbox, especially if we allow dbus like APIs as a means to cross sandbox boundaries (i.e. RPC mechanism).

and by sandbox, I dont mean simply use apparmor type rules (though that can work), but a cups that lives within its own file system and nothing else is even visible.

i.e. programs will always be buggy, even if we get rid of all language oriented bugs, there will still be logic bugs that will result in security holes. We just need to make it easy to isolate programs (and services) into their own sandboxes while retaining the ability for them to interact (as otherwise, lose much of the value of modern systems).

In practice, I would argue, a lot of modern systems do this already (ala ios/android). The apps run sandboxed and only have restricted abilities to interact with each other.

jabl1y ago

That's sort-of the direction they're going with CUPS 3. The 'local server', which is what most people will need, runs as a normal user, not root, doesn't listen on the internet, and talks only the IPP everywhere protocol. For supporting legacy printers, there will be separate sandboxed 'printer applications' which read in IPP Everywhere, run the driver code, and communicate with the backend printer using an appropriate protocol.

For enterprise users there will be a separate 'sharing server'.

https://ftp.pwg.org/pub/pwg/liaison/openprinting/presentatio...

nox1011y ago

I'd prefer they make it the default to not install it. I don't need to print from Linux. I don't print from Windows nor MacOS much either. Less than once a year. But I particularly don't print from Linux. I suspect that true for most people. cups shouldn't be a default install IMO

pxc1y ago

> I don't print from Windows nor MacOS much either. Less than once a year.

Many Linux users and developers don't run anything else. If they're to print at all it'll be from Linux.

nox1011y ago

that's fine. They can install it. I suspect the actual number of computers running linux that need to able to print be less than 1 of 20.

cherryteastain1y ago

And that new solution will have only 70% of cups' features 15 years in with tons of gotchas in everyday use cases, like wayland

pzmarzly1y ago

> new solution will have only 70% of cups' features 15 years

Which sounds fine? Most people don't want LPT printers support, they want AirPrint and WSD to just work.

ale421y ago

How many percent is "most" people? What about enterprise users with complex setups/requirements, will they be supported or out-of-luck? Typically you'll have print servers with centralized authentication, possibly logging/auditing/billing, any this might depend on "the" component they'll leave out in the new product because, well, most people don't care about it...

1 more reply

nikanj1y ago

Using modern tools and standards? So build with node.js, runs like a pig, only supports the three models made by the sponsoring company?

Loudergood1y ago

You honestly think you can do it without Electron?

jabl1y ago

Well it's your lucky day, they're working on rearchitecting cups to be, among other things, more secure. See https://ftp.pwg.org/pub/pwg/liaison/openprinting/presentatio...

panarky1y ago

What if you don't need cups because you don't print anything?

Just sudo apt remove cups right?

No, because cups is a dependency of the entire graphical subsystem, just removing cups also removes everything from the Nautilus file manager to Firefox to ubuntu-desktop itself.

normie30001y ago

Any idea why that is?!

2 more replies

cozzyd1y ago

systemd-printd incoming

j / k navigate · click thread line to collapse

0 comments

compsciphd1y ago

thing like cups should be easy to sandbox, especially if we allow dbus like APIs as a means to cross sandbox boundaries (i.e. RPC mechanism).

and by sandbox, I dont mean simply use apparmor type rules (though that can work), but a cups that lives within its own file system and nothing else is even visible.

In practice, I would argue, a lot of modern systems do this already (ala ios/android). The apps run sandboxed and only have restricted abilities to interact with each other.

jabl1y ago

For enterprise users there will be a separate 'sharing server'.

https://ftp.pwg.org/pub/pwg/liaison/openprinting/presentatio...

nox1011y ago

pxc1y ago

> I don't print from Windows nor MacOS much either. Less than once a year.

Many Linux users and developers don't run anything else. If they're to print at all it'll be from Linux.

nox1011y ago

that's fine. They can install it. I suspect the actual number of computers running linux that need to able to print be less than 1 of 20.

cherryteastain1y ago

And that new solution will have only 70% of cups' features 15 years in with tons of gotchas in everyday use cases, like wayland

pzmarzly1y ago

> new solution will have only 70% of cups' features 15 years

Which sounds fine? Most people don't want LPT printers support, they want AirPrint and WSD to just work.

ale421y ago

1 more reply

nikanj1y ago

Using modern tools and standards? So build with node.js, runs like a pig, only supports the three models made by the sponsoring company?

Loudergood1y ago

You honestly think you can do it without Electron?

jabl1y ago

Well it's your lucky day, they're working on rearchitecting cups to be, among other things, more secure. See https://ftp.pwg.org/pub/pwg/liaison/openprinting/presentatio...

panarky1y ago

What if you don't need cups because you don't print anything?

Just sudo apt remove cups right?

No, because cups is a dependency of the entire graphical subsystem, just removing cups also removes everything from the Nautilus file manager to Firefox to ubuntu-desktop itself.

normie30001y ago

Any idea why that is?!

2 more replies

cozzyd1y ago

systemd-printd incoming

j / k navigate · click thread line to collapse