
A fast and lightweight Usenet newsreader with GUI
=================================================

Intended for POSIX conformant operating systems that use the X window system.
On Apple machines it is possible to alternatively use the native Cocoa API
(the FLTK library does this by default on macOS).
With FLTK since version 1.4 it is possible to use Wayland (not tested yet).
A detailed dependency list can be found in the file 'INSTALL'.

Development goals (in order of importance):
- No bloat
  Minimize mandatory external dependencies
  Don't use external libraries if POSIX provide equivalent facilities
  Minimize program size and startup time
  Don't do things at runtime if they can be done at build time
  Limit C++ usage as much as possible (because it's hard to keep the bloat out)
- Support for old workstations
  This is the original reason why this program was written
  Usable with CPU clocks down to 50MHz (something like a Sun SPARCstation 20)
  Support for graphics hardware with 8 bit color depth
  Support for old operating systems and compilers shipped with such machines
  Limit C++ usage as much as possible (because old C++ compilers are tricky)
  Basic Unicode support even if the operating system doesn't has Unicode locales
  Ability to correctly quote Unicode content (even if it can't be displayed)
  Implement features intended for new machines as compile time options
- Standard compliance
  Don't expect non-POSIX things from operating system
  FHS conformant default paths for installation of files
  Standard conformant handling of TLS connections
  Standard conformant NNTP communication with the server
  Standard conformant handling of Usenet articles
  MIME compliance
- Be conservative in what you do, be liberal in what you accept from others
  Decoding support for all MIME 1.0 transfer encodings
  Decoding support for as many as possible MIME character sets
  Decoding and rewrapping support for RFC 3676 ("Format=Flowed")
  Tolerate typos but don't guess (standard defaults for undeclared parameters)
  Encode articles using MIME "7bit" or "8bit" transfer encodings only
  Encode articles as MIME "text/plain; format=fixed" type only
  Encode articles in "lowest common denominator" charset if possible
  Encode articles in Unicode as last way out, normalize to NFC in this case
- Compatibility with other local newsreaders
  Share the group states in a '~./newsrc' style ASCII file
- Usable X display redirection via network (or ssh tunnel)
- Warn users about things that are not forbidden but considered "bad practice"
  Display warning before X-post without Follow-up

Features that are currently not supported:
- Multiple servers
- Offline mode (for network connection via dialup line)
- UUCP
If you need one of them, use leafnode(8) as proxy server.

The program was tested on AIX, GNU/Linux, HP-UX, IRIX, NetBSD, OpenBSD, macOS
and Solaris operating systems back to versions from the 1990s.
It was reported that it also runs on Windows using the Cygwin POSIX wrapper.
It was reported that it also runs on Windows Subsystem for Linux (WSL).
A detailed list of required APIs can be found in the file 'INSTALL'.


National Language Support (NLS)
===============================

NLS corresponds to the user interface of the program itself, the labels of
things like menus, buttons and tooltips can be localized if enabled.
Note: NLS is not related to the decoding and encoding of Usenet articles!

X/Open NLS is enabled by default if the operating system reports support for it
at build time.
NLS can be forced to disabled in the 'CONFIG' file. This gives minimum bloat and
some protection against potential Unicode related security issues.
The environment variable 'NLSPATH' is ignored for security reasons. NLS catalogs
are always searched only at the location configured in the file 'CONFIG'.

A description how to create a new Localization (L10n) can be found in the file
'src/nls/README'.


Transport Layer Security (TLS)
==============================

TLS provides encrypted connections and authentication of the server against
the client via X509 certificates.

Both are prerequisites for client to server authentication via AUTHINFO USER
NNTP protocol extension. The encrypted connection prevent an eavesdropper to
extract the password from the network traffic. The X509 certificate check
ensures that nobody else fakes to be our server and receive the password as
"man in the middle". Only cipher suites using Diffie-Hellman-Merkle key exchange
(based on discrete logarithms with ephemeral keys) and strong symmetric
encryption algorithms are used by default. You can downgrade to weaker ones
(including key exchange based on elliptic curves and RC4 symmetric encryption)
manually if the handshake with your server fails.

TLS support is enabled automatically if an OpenSSL or LibreSSL library is found
at build time. The output of 'openssl version' is used for detection (on some
systems this utility is in a different package than the libraries).

Note: TLSv1.3 protocol is supported if at least OpenSSL 1.1.1 or LibreSSL 3.1.1
is available.

Revoked certificates for server authentication can be detected if the TLS module
is build with the option 'CFG_TLS_CRLS_DISABLE' defined to 0. If the server uses
certificates with "X509v3 CRL Distribution Points" entries, set 'crl_check' in
'configfile' to 1 (the CRLs are downloaded and maintained automatically).
See manual page for configuration details.

Current limitations:
Without OpenSSL API 1.1 some features like the FFDHE group size check and the
negotiation of signature algorithms for the TLSv1.2 protocol are not available.
Without OpenSSL API 3 the negotiation of FFDHE groups does not work.
Dedicated LibreSSL APIs are not supported (LibreSSL support is based on the
OpenSSL APIs).


Cancel-Locks
============

Cancel and Supersede operations can be authenticated with a Cancel-Key if the
original article has a Cancel-Lock. Most servers ignore such operations without
Cancel-Key to prevent abuse.

Some servers automatically add Cancel-Locks and Cancel-Keys to the articles of
their users on injection. To create them locally, the Message-ID must be created
locally too. You have to set the 'fqdn' entry in configfile to create
Message-IDs. TLS support must be available to create Cancel-Locks/Cancel-Keys.
See manual page for configuration details.


XDG support (now freedesktop.org)
=================================

The environment variable 'XDG_CONFIG_HOME' can be used to override the default
configuration directory path.

If the option 'CFG_XDG_DISABLE' is defined to 0 a desktop file and icons (for
the hicolor icon theme) are installed.

If xdg-utils are installed they are used to open the mail program for replies
and to open the WWW browser when the user clicks on a URI with scheme http(s).
This behaviour is not disabled when 'CFG_XDG_DISABLE' is defined to nonzero.


EOF
