It was around the time "The Blair Witch Pro­jec­t" was a thing so it must have been in 1999 or 2000, that when I was read­ing Roger Ebert's "Movie An­swer Man" colum­n, I thought, hey, I may have some­thing to say about this.

I emailed him about how the "found footage" genre was old, cit­ing 1980's Can­ni­bal Holo­caust, and even go­ing back to Edgar Al­lan Poe's "Arthur Gor­don Pym" which is (of course) a found man­u­script. We ex­changed a few email­s, he was al­ways thought­ful, po­lite, will­ing to have a nice con­ver­sa­tion. He even­tu­al­ly asked about what was the best pos­si­ble time to vis­it Buenos Aires, I said spring or fal­l, sug­gest­ed that he may be in­ter­est­ed in at­tend­ing BAFI­CI, and even­tu­al­ly it pe­tered out.

So, not much as anec­dotes go, but it made me re­al­ize I had been read­ing his re­views and ar­ti­cles (and lat­er his blog and his twit­ter feed) for over 15 years.

I re­mem­ber see­ing him do a cameo in a lame TV show (the one with the guy that has a mag­i­cal dog that brings him to­mor­row's news­pa­per or some­thing), and think­ing, hey, I know that guy, sort of.

Now that he's dead, it seems he was, for ev­ery­one, the same he was for me, gra­cious, friend­ly, in­ter­est­ing.

He was the kind of guy who wrote re­views for Deep Throat and co-au­thored a Russ Mey­er movie, and was al­ways ready to say that a movie was crap yet good crap be­cause there are de­grees of crap, and you have to take crap in its own terms.

I'll miss the guy.

Ear­li­er I men­tioned a hack I use when I need to get a clean brows­er quick. Here it is again:

rm -f ~/.config/ralsina/devicenzo.conf
curl https://devicenzo.googlecode.com/svn/trunk/devicenzo.py | python

Since that got post­ed on red­dit (no, not link­ing it), it trig­gered "in­ter­est­ing" ar­gu­ments. Ba­si­cal­ly many were shocked (shocked) about run­ning ar­bi­trary in­ter­net code lo­cal­ly in this man­ner. It's in­se­cure. While I am by no means a se­cu­ri­ty ex­pert, at least I know I am ig­no­ran­t.

Let's ex­am­ine that in­se­cu­ri­ty claim a lit­tle, in the con­text of what I was propos­ing. I am try­ing to tell peo­ple "here's a small web brows­er that re­quires no set­up and since it's not your main browser, you can nuke it and re­set its state eas­i­ly be­fore run­ning it, like this".

So, what's wrong with do­ing it that way, ac­cord­ing to the com­menter­s:

It's insecure because you can't see the code before running it because it's piped.

Well, that makes it ex­act­ly as in­se­cure as ev­ery un­signed bi­na­ry you ev­er down­load­ed. Or, let's be hon­est, ev­ery shell scrip­t, python scrip­t, perl script etc you have ev­er down­load­ed. Or you au­dit them?

Who ex­act­ly is be­ing pre­vent­ed from au­dit­ing it by hav­ing it pre­sent­ed this way? Is the in­ter­sec­tion of "peo­ple who can au­dit this scrip­t" and "pople who don't un­der­stand pipes" not emp­ty?

For those who can au­dit, this makes no dif­fer­ence. For those who can't au­dit, this makes no dif­fer­ence.

It would be better if I provided a hash of the file to know it's not tampered

And how would you know the hash is not tam­pered? Wat you wan­t, re­al­ly is a dig­i­tal sig­na­ture of the scrip­t.

If you trust google (and usu­al­ly, peo­ple do), then you know that:

1. The script was up­­load­­ed by me (check the his­­to­ry of the file)

2. The script has not been tam­pered from the re­po (s­ince it's a se­cure con­nec­­tion and yes, there is a hash of the re­vi­­sion)

If you don't trust google, then you don't know who up­load­ed it, and if you don't trust me, you don't care who up­load­ed it, even if it's signed (be­cause it's signed by some­one you don't trust).

How does the user know it's not malware?

He does­n't. Life is like that.

Why should the user trust you?

He should­n't. OTO­H, were he so in­clined, he can check who wrote it, and that I am a re­al per­son, with a long his­to­ry of shar­ing code on­line and no claims of ev­er push­ing mal­ware.

This is more insecure because it downloads on every run

You don't need to run mal­ware more than on­ce, any­way. So, not much of a dif­fer­ence.

This propagates bad habits

So does Dunk­in' Donut­s, and noone posts about it at red­dit. But in any case, sure, it's a bad habit. Big deal.

So, is it se­cure? Hell no! Is it sig­nif­i­cant­ly less se­cure than in­stalling a ran­dom PPA you see men­tioned in a fo­rum? Maybe slight­ly. Is it less se­cure than run­ning ran­dom un­signed bi­na­ries? Hell no. Is it less se­cure than down­load­ing and run­ning it? No. Is it less se­cure than build­ing a ran­dom thing from source? Hell no.

But is it less se­cure than the oth­er re­al­is­tic ways in which I can give you a 100+ line chunk of python code that works as a web browser? I don't think so.

In the con­text of "here's the code for it, it can do this", this is not sig­nif­i­cant­ly in­se­cure. It's more or less as in­se­cure as the al­ter­na­tives. With the ad­van­tage that, if you wan­t, you can au­dit it. It's 128 lines of code (as­sum­ing you trust Qt and PyQt and Python, etc)

So there.

"Se ve que la visi­ta de la Pres­i­den­ta al Pa­pa no sirvió de na­da [...] Son ab­so­lu­ta­mente ir­re­spetu­osos. Di­cen que no van a acep­tar ningu­na mod­i­fi­cación y hablan de de­moc­ra­ti­zar"

—José Cano, jefe del bloque de senadores de la UCR

Por fin al­guien en este país que destapa la ol­la, que mues­tra la en­tretela de la políti­ca, que bate la jus­ta, que can­ta las cuarenta, que cacarea donde al­guien, sí, es­ta vez pu­so el hue­vo.

Me saco el som­brero, es más, me saco el cuero ca­bel­lu­do ante José Cano, ín­cli­to senador rad­i­cal y su ca­paci­dad, cual Mr. Mús­cu­lo par­la­men­tar­i­o, de sacar to­da la su­ciedad que el ofi­cial­is­mo es­conde.

¿Porque ya saben, el mo­ti­vo por el que la pres­i­den­ta fue al Vat­i­cano? Para que los rad­i­cales ten­gan más senadores puedan así cam­biar los proyec­tos de la may­oría. O tal vez para que no les ha­gan nana en los sen­timien­tos. En­ton­ces, para la próx­i­ma elec­ción de senadores, vote Vig­go Mortensen / Aragorn. Ha­ga fe­liz a un pa­pa.

It's not be­cause I wrote it (ok, yes, it's be­cause I wrote it) but if you ev­er need a "clean" browser, with­out cook­ies etc for test­s, you can do worse than us­ing my De­vi­cen­zo like this:

rm -f ~/.config/ralsina/devicenzo.conf
curl https://devicenzo.googlecode.com/svn/trunk/devicenzo.py | python

The first line re­moves all con­fig­u­ra­tion, cook­ies, etc, you may have and the sec­ond one down­loads the lat­est ver­sion (don't wor­ry, it takes about 2 sec­ond­s) and launch­es it.

And voilá, a com­plete­ly fresh out­-of-the-box, we­bkit-based browser, with no pre­vi­ous his­to­ry, cook­ies, or con­fig­u­ra­tion, fair­ly fea­ture-­com­plete.