These are chat archives for fiji/fiji

2nd
Nov 2018
Florian Jug
@fjug
Nov 02 2018 10:29
I’m having a chat with Deborah just now. We agree that it is necessary and also urgent to help, and we are happy to do so.
Still, you two are much deeper into this topic so far and our request for a short Skype call was twice masterfully ignored by you @axtimwalde ... We all are busy for sure, but it feels a bit funny that you create a mood of urgency that we almost feel bad if it will take us another month to help with this issue when on the other hand you cannot even commit to a short hangout.
In principle nothing would stop you and your team to take on the issue, would it?
So, that was all the ranting I plan to do. Let’s focus on addressing this problem. @frauzufall will contact you two ( @ctrueden & @axtimwalde ) with her best strategy, open questions, and an initial prioritization of tasks. Please help her straightening things out and then we start working on the plan we come up with and agree upon together.
Does this sound like a plan?
Curtis Rueden
@ctrueden
Nov 02 2018 14:30
@fjug I agree. We need to balance priorities while avoiding Fiji succumbing to the "complaint driven project" phenomenon. I also agree with @axtimwalde that full HTTPS support, enabled whenever possible, is important. I do disagree that it would be bad to continue allowing plain-HTTP updates in cases where HTTPS is impossible—we just need to migrate as many users as possible forward to HTTPS, and for those who cannot be migrated forward, issue a clear message telling them why not, and how to do it manually.

Deborah asked me for some more context regarding this discussion, so here are some more details, which hopefully helps more people to follow the conversation:

One issue with HTTPS + Java version is that only Java 1.8.0_101 and newer support SSL certs issued by the Let's Encrypt program. And all of the ImageJ websites use that program, because the SSL certs are automated and free.

However, Fiji shipped with Java 1.8.0_66 for quite some time. So older installations will not be new enough to use HTTPS URLs that reference update.imagej.net, update.fiji.sc or sites.imagej.net. Current Fiji bundles ship with Java 1.8.0_172, which will work.

One possibility is to simply require people to "just download a new Fiji". However, I am much more reluctant than he is to simply break the update feature for all older installations of Fiji. Or at least: I don't want to "silently" break it. I'd be OK with Fiji saying "Hey, your Java is old, you need a newer one if you want to use the Updater."

There is a chicken-and-egg problem too, regarding old versions of the Updater being hardcoded to HTTP and not supporting 301 redirects. Even if we add this Java version check... the instant we switch to force-HTTPS, older versions of Fiji will still break because they will try to reach out to http://update.imagej.net/ and will be told "301 redirected to https://update.imagej.net/" and then they will throw an exception. And even if they followed the redirect, they'd fail because they'd view the SSL certificate as invalid.

In my view, we need to continue honoring plain HTTP requests for a very long time, probably at least 3 more years. That said, if we add the Java version check, then at least people would get the latest versions of things, and subsequently (upon restart) be told that they should really now update their Java version because if they don't, they won't get secure updates.

There are also legacy installations of Fiji that use Java 6, and that certainly does not support HTTPS + Let's Encrypt either. To continue supporting the Fiji-Legacy update site, BoneJ1, 3D Viewer with Java 3D 1.5, and maybe other old things, we would need to continue allowing plain HTTP updates. An argument can be made that people wishing to use the Java-6 Fiji should download that version from the Fiji downloads page directly... but then I'd like to simply delete the Fiji-Legacy update site, since it becomes unusable.

Florian Jug
@fjug
Nov 02 2018 14:55
Thanks for this illuminating text @ctrueden … One thing I wonder:
Why would the old Java 6 installations still need the updater? Don’t you agree that we could provide such old versions but remove these versions updatability?
If you agree, could one not make a similar argument for the pre Java 1.8.0_172 versions? We could just update those such that they spit out a message with a announced point in time when it will not be updateble any more as long as users would not update Java.
Why is this suggestion not the way to go (or is it)?
tpietzsch
@tpietzsch
Nov 02 2018 15:01
sounds reasonable to me
and that can happen rather fast
I don't think we have to support these 3 more years
Curtis Rueden
@ctrueden
Nov 02 2018 15:04
@fjug That is indeed the suggestion above. However, the chicken-and-egg problem requires that plain HTTP continue to work, in order for old versions to successfully update to the new version that knows how to demand a newer Java.
tpietzsch
@tpietzsch
Nov 02 2018 15:05
oh...
Curtis Rueden
@ctrueden
Nov 02 2018 15:05
Scenario: you have an old version of Fiji. It is too stupid to check whether it has a new-enough Java. It tries to update via http://update.imagej.net/. If that fails, it will simply spew an exception.
Talking with @tpietzsch: he proposed a crazy idea. Which just might work! :-)
Curtis Rueden
@ctrueden
Nov 02 2018 15:10
The content served by http://update.imagej.net/ et al could be separate from the content served by https://update.imagej.net/.
So then, we can dead-end the HTTP content.
I would like to tackle this as my hackathon project in December.
And I can train Gaby and Deborah in respective relevant areas as part of that.
Curtis Rueden
@ctrueden
Nov 02 2018 15:16
Look, a map of Konstanz! Also Dresden. And here is the one of Madison. :stuck_out_tongue_winking_eye:
Philipp Hanslovsky
@hanslovsky
Nov 02 2018 15:19
:smile: :smile:
Curtis Rueden
@ctrueden
Nov 02 2018 15:21
@frauzufall Back to the Updater: What would be awesome to do on the Java side before/during December would be this Java version check in the imagej-launcher Java code. If you have bandwidth to add it, that would be fantastic. Then we would be well poised to make the switch on the server side during the hackathon.
Stephan Saalfeld
@axtimwalde
Nov 02 2018 15:55
@fjug back off! I did not get any requests to 'Skype' nor am I reading gitter 24/7 I also did not 'create' urgency but I explained the potential risks of the HTTP distribution. I am mentioning this in irregular intervals for a couple of years now and I keep doing it because it is dangerous and can mean great harm to the project if something bad happens. My team is not involved in updater development and also not funded to maintain Fiji. We contribute where we can, this is not ours. I had a look at the updater once but the choice to use Let's Encrypt certificates instead of a cheap conservative one that works everywhere made my attempts not work on old Java 8 then, so I gave up, not my cup of tea.
@fjug and @frauzufall Thanks for your willingness and interest to address this issue. I highly appreciate this!
tpietzsch
@tpietzsch
Nov 02 2018 16:01
hmm, reading the conversation above to me it looks like @fjug quite explicitly asked for a "chat on Monday"
twice
Stephan Saalfeld
@axtimwalde
Nov 02 2018 16:03
Really? Can't find it, but will try...
Oops, found it. Ahem...
tpietzsch
@tpietzsch
Nov 02 2018 16:07
Proposal: we chat tomorrow or on Monday... you explain me/us what is missing and how we could fix it. I’m not having a good overview of the status quo and clearly need this. Sounds reasonable?
As said multiple times. Happy to help as soon as possible. E.g. by having a chat with @frauzufall and myself tomorrow or on Monday. If we shall invest time we have at least to understand what to do, right?
that's what I would read as requests
but... whatever
nice that the http issue is being addressed
Let's all be friends again :-)
Stephan Saalfeld
@axtimwalde
Nov 02 2018 16:09
No! Now that it's been pointed out that I really ignored the request I cannot be friends with any of you ever again, or I would have to admit.
tpietzsch
@tpietzsch
Nov 02 2018 16:09
also true
well, you were anyway leaving the community after the "virtual middle finger"
:-D
Stephan Saalfeld
@axtimwalde
Nov 02 2018 16:11
... ok @fjug, I ignored your requests. Sorry! I am here now or later, or on Monday. Hangouts, appear.in or Signal work for me, I uninstalled Skype for how much it sucks.
True, but I still have to write it.
Florian Jug
@fjug
Nov 02 2018 16:24
:D
Ok, just got back from the Friday Seminar. Meaning: I missed the time where we all have maybe not been friends… whew
Happy we still are! ;)
Chatting on Monday would be fun! By then @frauzufall and I could digest all the great ideas thrown around above and we can run it past you @axtimwalde just so we do something we all like/approve.
The idea of serving different stuff on http and https requests is soooo cool @tpietzsch … diserves a :heart: ...
I now need to run… 2 hours an 10 people will want to receive food in my place (Gaia’s lab dinner)… so far not even did the required shopping… urgs! Really looking forward to have Fiji updates being safe finally! Thanks for pushig on that @axtimwalde … I mean that!
Curtis Rueden
@ctrueden
Nov 02 2018 19:52
@fjug @tischi On a different note: if you have a quick moment to comment right now: @dietzc, @tpietzsch and I are discussing our I2K talk. Could you tell us, in 1-2 sentences, your vision of what this talk is about? Which tools? How technical? How historical? What's new? Introduce the conference? Demos? ImageJ, KNIME, Fiji, ....?
Curtis Rueden
@ctrueden
Nov 02 2018 20:34
Our current plan is to structure the talk around a timeline, walking through the components of the "ImageJ+friends" ecosystem as they arose, why they arose, how they arose. So the audience understands why we are where we are.
Florian Jug
@fjug
Nov 02 2018 23:12
Ups... sorry guys... was standing in the kitchen, then eating, then drinking... ;)
That sounds absolutely great! Anectodal but at the same time informative... being able to give credit and also showing how and why it is and was used by so many.
I’d say one quarter is “the beginnings” one quarter on the middle years, another quarter on recent developments (eg KNIME stuff, but also the fusion of the forum with others, our friendships with CellProfiler, Ilastic, etc. etc.).
The last and missing quarter of time you can then spend out anything... outlook and future, introducing the workshop schedule and saying why I2K is a) the extension of the ImageJ conference but at the same time b) a new beginning.
But most important of all... follow your own feeling... take my suggestions at what it is and not more... my opinion and suggestion.
Regarding technical: I’d opt for little technical. If you want to put something technical out it should be understandable at various levels (like a good Walt Disney joke). A good example I think is @tpietzsch ‘s Mastodon tech slide... he knows what I’m referring to... ;)
Very much looking forward to be seeing your slides!!! #exciting
Christian Dietz
@dietzc
Nov 02 2018 23:58
it's ilastik.
with a K
:-D
Florian Jug
@fjug
Nov 02 2018 23:59
:D did I mention the drinking... ;)
Christian Dietz
@dietzc
Nov 02 2018 23:59
This is what I'll do next
with @tpietzsch