Subject: Re: Request for help for beginner, thanks!

Re: Request for help for beginner, thanks!

From: David Spector <dev_at_springtimesoftware.com>
Date: Mon, 18 Jan 2021 14:13:15 -0500

Dear Dan,

Thank you for taking the time to share your opinions. They certainly
differ from mine, and deserve a thoughtful response.

"Try getting one of the example programs working in a simplified case
then only then alter it."

That is EXACTLY what I tried to do in my last posting! I took the
existing example and tried to use it, unaltered. It did not work.

I'm not asking others to help me debug my code (which is actually valid,
too). I'm asking (again and again) for a working example that uploads a
file using a private key, nothing else. I am fully capable of modifying
it myself once I have it.

"If you're asking for a working example of a solution to your problem
that is tested and working, then your best bet is to hire someone to
create one for you."

The PHP Manual contains full and working examples of almost all
functions and, where relevant, categories of functions. Any competent
programmer is able to use a programming language manual like this one to
create programs themselves, without having to hire other programmers.
This includes beginning programmers (in my case I have been programming
professionally since 1965, but I consider myself a beginner in
understanding the ssh2 library because of its poor documentation; I will
say more about this below, since you brought up the question of the
quality of the documentation).

If a beginner asked you how to delete an array element, I expect you
would have the solution at your mental fingertips and simply reply with
the answer (which is: call 'unset' on the element reference, like this:
"unset($Arr['apple']);"). In this case, because of its familiarity and
good documentation, you would likely not even bother testing it (as
indeed I did not).

Why, then, are you so emphatic in stating, twice, that I must hire
another programmer to use the ssh2 functions? I believe the answer is
that you are extremely defensive, probably because you are personally
responsible for much of that code and believe that you have also
documented the library fully. Somehow you have construed my innocent and
somewhat desperate question as an attack on your baby.

Accordingly, you will find this, my response, equally defensive.

While being defensive against perceived attack is psychologically
understandable, it is not a stance anyone should take in public as a
computer professional, the main reason being that it shows a remarkable
disinterest with helping a fellow programmer and a human being who has
asked for help.

I would be quite ashamed if I ever replied this way in a public forum.

Better to say nothing than to insult someone who has asked so sincerely
for help, and has followed up each reply as conscientiously as I have.

You could have chosen to say nothing rather than to insult me in this
indirect and uncivil way.

I presented in my question a tested and working PHP solution for
uploading a file insecurely, which only slightly expands upon the
example given in the PHP Manual. This example worked the first time I
tried it, because like most PHP Manual examples, it was complete and
tested. I have used this FTP code in several PHP programs.

Working the first time was not the case with the ssh2 library, whose
basic example did not work for me either time I tried it. Does it work
for anyone else here? I don't know, because probably no one has actually
tried it.

Has anyone in the world succeeded in uploading a file using ssh2? I'm
beginning to think not. Else why would it take so many days to find a
working example?

All I am asking is for the same example as FTP but that works securely,
using sFTP. Am I not being reasonable? If not, why not?

I have found this library to have been documented at an inferior level
to other libraries and function categories, mainly in that its primary
example does not work, and that there is no clear and working example of
using sFTP with a private key, and also because of its use of unclear
jargon in many function descriptions (example: the words "key" and
"password" actually can apply to two or more different parameters of the
sFTP protocol; the documentation uses them ambiguously).

The author of the open source library phpseclib told me via email that
difficulty in getting ssh2 to work was his own motivation to create the
very large but working phpseclib library. Wow.

You may complain that ssh2 is an obscure area of PHP, and doesn't need
to be documented well, or perhaps even to work. If so, my response would
be: nonsense. It is FTP that deserves to be obscure, because in fact FTP
is insecure because it depends on just a user's password. Modern file
transfers need sFTP and other secure protocols as a basic element of any
general programming toolbox.

If it is indeed true, as you seem to be implying, that neither you nor
anyone else on this mailing list has written simple code to upload a
file, I am astounded. How is it possible to implement an entire security
library, claiming to implement sFTP as a substitute for FTP, yet never
to have written simple and working code that uses it? For, if you had,
you could simply find that working code on your computer and share it
with me instead of attacking me and/or the nature of my question.

Did the ssh2 library really get released without a thorough test suite
that includes uploading a file? Horrors.

I have done a lot of research looking for such simple PHP sFTP code as I
am requesting and have not found it on the Web. If it is so easy to find
as you claim, why has no one been able to find it in the past few weeks
that I have been posting on two Web fora asking for help, including
Experts Exchange? None of the advice and links I have received so far
have answered my simple need; many have not even been in the ball park.

I am not asking for anyone to design an entire program for me. I'm only
asking (again and again and again) for a simple working example of sFTP
code using functions that are documented in the PHP Manual (working
means the PHP output is included and the file was indeed uploaded).

I think the world deserves such an example because it is basic and so
many people need it, and if I ever find it I will most certainly add it
to the PHP Manual as well as posting it in public fora to help all the
others who have been repeatedly denied by well-meaning but
self-appointed guardians of the holy gates of knowledge (we don't guard
array operations; why do we guard the ssh2 library so zealously?).

Using sFTP in PHP should not be guarded as a holy secret. It should be
shared freely, like the rest of the basics of programming.

Surely you don't believe that modern cryptographic methods should be
kept secret because you believe that secrecy enhances their
cryptographic security? I hope not, because it is a cornerstone of
modern cryptography that its methods be made fully public.

And, finally, if the ssh2 library cannot actually upload a file using a
private key, which I am beginning to suspect, this important fact should
simply be admitted and documented. Then we can turn to cURL, phpseclib,
or other solutions instead of banging our head against the wall with the
PHP ssh2 library.

David Spector
Springtime Software
_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2021-01-18