X11 is dead, long live X11
The image on the left here is such a stunning example of many things wrong with the constant dumbing down of Linux that I hardly know where to begin.
1) The X11 Desktop's (what you see to the left) client/server protocol is
built-in. There's no need to use vnc in most cases!!
I have no idea why it is so hard for people to grasp the power of client/server graphic networking. It's simple. Easy. Transparent. And so enormously useful that
innumerable projects use it to great effect, and if only more people would just turn X11's network support on, it would be a better world.
I can only imagine it's a conspiracy.
Legions of PHBs hunched over their laptops in 1989, saying: "THIS X11 CONCEPT IS TOO POWERFUL! Imagine a world where every cell phone, handheld, laptop, desktop, server and supercomputer in the world could run all their applications on each other over a network transparent protocol!
There'd be no need to rewrite every application for every new paradigm. We'd stop having to support all the old ones in the field, too. Every app on your cellphone could run on your desktop! And every app on your desktop could run on your cellphone! Think of all the jobs that would be lost! Think of (my) children and my golf fees!"
So the orders spooled out from the Ministry of Information:
"You! Bury the documentation on the DISPLAY variable! You! Turn off the -Y option in ssh by default. You - propagate a expensive and broken RDP/ICA implementation and we promise to bid your stock up! And for god's sake, NOBODY talk about Cygwin/X!! Oh, ICA is lawsuit/patent material and requires a license (ha! our strategy is working - doing client/server graphics is now perceived to be HARD) - let's introduce a fourth client/server protocol, with multiple variants. Make sure it's slow and requires lots of round trips to the server! Call it... vnc. Make it run on everything, badly. Oh, yea, but you know that wonderful one to many mode vnc has, that's useful for training? Too Dangerous. People might learn something! Turn that off!"
I have seen dozens, nay, hundreds of people, imprisoned by the need to have two or more computers at their desk, switch confusedly between multiple keyboards and mice as they struggle to keep their context and get their work done.
It's a scene that Charlie Chaplin would have satirized in Modern Times had he been alive today.
Meanwhile I sit behind my laptop (one keyboard, one mouse) and 3 additional huge screens, with LOTS and LOTS and LOTS of screen area for keeping my context, being insanely productive, thanks to a tiny, simple X11 program called
x2x. Back when I was forced to run windows on that laptop I ran
synergy - which was big, bloated, slow, and occasionally flaky, but still 1000% better than groping for the right mouse at the right time.
My philosophy, such as it is: One keyboard, one mouse, as many screens as possible.
Easy. Simple. Profound. But not only is X11 graphic networking disabled by default on every graphical Linux distribution, but the network ports it uses are blocked by the firewall implementation, thus rendering the idea doubly hard for users that can't even practice safe hex.
VNC's ports are blocked by default, too.
On windows
Cygwin/X has been a viable answer to distributed applications, etc, for over a decade, not that I've met a single windows administrator in all that time that had heard of it.
Yes, there were security issues regarding X11, years ago. People started blocking X11 at the firewall level, all those years ago. Those problems were solved, years ago. But ever since then there has been a steady creep of turning off X's inherent networking in every new platform, and people building single language toolkits like QT/e (because it was "smaller than X") and then grafting on things like accelleration in userspace, requiring a recompile and then vnc later after they realize how useful the client/server graphic concept is, ultimately wasting even more space than X does... using a monoculture language toolkit and eliminating even the possibility of running other useful applications written in other languages even though it's the goddamn fonts that are the biggest component of any small graphical system....
Everybody. turns. X11. off. I don't get it. I regularly blow minds by sharing an emacs window with another author across the net... via X... The other day someone I work with was having problems with his machine. We were ensconced in my office, feet up, cups of delightfully great Nicaraguan coffee in our hands. "Do you want me to unplug it and bring it over? I'm printing something but it might be done by now", he said.
"No problem", I said. I did a ssh -Y to his machine (I happened to know the ip address as I'd setup dhcp RIGHT for his machine), brought up the app, and fixed it, all without removing my feet from my desk. I could have done this - and have - for any machine, anywhere in the world - that had X11 and at the very least, ssh -Y support.
I would have preferred to have avoided even ssh -Y as we were going over a switched network, with no possibility of anyone snooping on the conversation. Seems silly to encrypt that.
The only thing that gives me hope for X11's built in networking is that both the
olpc and
openmoko have it turned on by default. Perhaps through use of these projects, people will remember how to share once again, but I aint holding my breath.
This gets me to my second issue.
2) The lack of good DNS services in the small network is one of the worst things that ever happened to networking in the post TCP/ip era. The NETBUI protocol - 20 years ago - had built into it the ability to NAME your machine uniquely on the network so PEOPLE could GET to it over the network. So you could SHARE files and printers - something that everybody needed to do then just as much or more as people need to do now... but today, every machine is an island to itself. Many wireless networks block the even the ability to talk to machines on the same lan! (why? because it slows down the attacks of worms and viruses, of course. Can't have worms running loose!)
I can hardly imagine the utter inanity of having TWO machines right next to each other, that can both surf the internet - but in order to print you have to drag one machine to the other, unplug the printer's usb cable, and plug it into the other machine. Forget spooling. And to share a document you have to EMAIL it out OVER THE INTERNET and BACK - in a place where 17KB/sec is a normal upload speed - just to go THREE feet.
And people regard this state of affairs as NORMAL.
Which gets me to the second flaw illustrated the screenshot above. But first I have to vent and explain. It's kind of hard to fault the lack of working
split DNS on the hardware manufacturers. Just getting 70 dollar router hardware that could serve up dhcp and run TCP/ip was hard enough. Routers that couldn't do dns used to cost thousands! Actually supplying an extra megabyte of ram on a router so it could run
dnsmasq would add a few cents to the BOM. It's way easier to force people to remember private ip addresses like 192.168.1.200, and to have zillions of natted networks all on identical 192.168.1.X networks that can never be connected together. (and, you don't actually need to know your ip address if you can't share files or printers or your radio stream, anyway...)
And you know, actually using your domain name for something other than your website would mean wresting control of your dns servers away from the big hosting services - can't have that, either, can we? I mean, who could understand that hm.taht.net actually pointed to my home servers and was split, so that I can talk to my pbx at home when at home, and when on the road, I can ALSO talk to my pbx at home, instead of having to change the ip address manually, when I can remember what it is.
God, if anybody in the ISP business talked about how USEFUL DNS is to have in the home it might mean more people would want to have a static ip address on their external networks, making things like vpns easy. Being able to get to your stuff at home or the office from anywhere might reduce the profits of all the lucrative email hosting services (that the government can inspect at any time) and the image services, etc, etc.
Lack of a good DNS or DNS like naming scheme is keeping IPv6 from being deployed widely, which unfairly impoverishes the third world, but I'm not going to get into that now.
In summary - there are an awful lot of forces acting against taking control of your own DNS. (At the moment I have a dozen domain names in limbo because I bought them from a hosting site that doesn't forward my email correctly. I note this, because writing this blog entry has been theraputic enough for me to set a phone line on fire first thing in the morning)
But I digress.
So, at the end of this impossible situation, the Apple guys came up with a good idea a few years back that evades the politics inherent in having a distributed dns on the edge of the home. It's called Bonjour, and it's a way, like Netbui had all those years ago, that an individual machine can announce to a small network what it's name is, and what services it provides. It doesn't help at all for getting to your network at home from elsewhere, but it is a useful thing. It works really well for those old fashioned things like sharing files and printers on Mac networks (and Macs, being BSD based, don't have to worry about those pesky worms and viruses)
Linux machines support the same protocol via a service called avahi. But: most of the cheapo routers out there serving up dhcp information fail to provide a useable name to ip address mapping, usually providing none. At least those machines running Fedora Core 7 and earlier then come up as localhost.localdomain.
Localhost.localdomain is an alias for a network connection that is, well, local to your machine. On a network like that EVERY Linux box comes up as localhost.localdomain.
You can't GET to a machine via any protocol without knowing your ip address or having a dns name.
Which makes the above VNC dialog misleading, and worse than useless. Even if you knew how to open VNC's port on the firewall, not having a real name for your machine makes it impossible to get to your machine from anywhere unless you also know the ip address....
No machine I've seen (readers, please correct me) advertises X11 services via avahi. Not one. Worse, the most useful feature of avahi - mdns - which gives every machine on the network a useful name/service mapping - is turned off by default, and isn't even an installable package in the standard FC7 repository.
It's enough to make me want to run NETBUI again, just to remember the good ole days. I don't want to type another ip address as long as I live.
3) The above dialog works fine for a Linux box, but asking a user that is going to use vnc to drop to the command line to use the client is a bit much. The darn vnc client is actually IN A STANDARD menu on Linux systems where it's installed, and PROMPTS you for the server's name or IP address in a little 1999-style bad-looking-font window if you run it without arguments.
Now, the ONLY reason I can think of for running vnc is to manage a Linux desktop with a windows machine, and asking someone to use the command line there is ludicrous.
Not to mention that there are, at last glance, at least
four competing implementations of vnc for windows. I have no idea which of them works with Fedora's implementation and am sore inclined to try. I do know, for sure, that at least 3 of them don't have a client named vncclient.
There is only. one. X11. And Cygwin/X JUST WORKS.
4) The dialog asks for a login and password. I don't really understand why this is necessary. Under X11, it's enough to specify a remote machine's name or IP address, and that user can get in - or provide a key via X11's authentication mechanisms...
The vnc password is limited to 8 characters... and the dialog doesn't bother to check for easy passwords, either. And... the passwords are sent over the network in plain text. And people worry about X11's security???
5) At the moment I haven't the foggiest idea how to share my desktop with another user via X11. It used to be possible, the back-end allows it in many ways, but I don't know how. Use remotely - yes, run individual apps, yes - share a desktop - no. That's the biggest problem with this utility for me - as sharing a whole desktop requires a paradigm shift that is largely unrequired, wasteful, insecure, and dumb. There has got to be a better way to share apps with another user than sharing the whole desktop....
Excuse me, there's another windmill I need to tilt at today.
Labels: citizen revolt, graphics, linux, X11