Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 25 octobre 2017 12:01:45 UTC+2, Erik Bray a écrit : > > On Wed, Oct 25, 2017 at 3:56 AM, William Stein > wrote: > > > > On Tue, Oct 24, 2017 at 3:08 PM Eric Gourgoulhon > > > wrote: > >> > >> Thanks Emmanuel for the discussion

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

I'd rathet discuss this in the to be openedReal Soon Now) proposal for implementation. -- Emmanuel Charpentier Le mercredi 25 octobre 2017 11:57:13 UTC+2, Erik Bray a écrit : > > (Sorry for the multiple replies--there are just a lot of disparate > issues touched on in this message that I think

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 25 octobre 2017 11:46:38 UTC+2, Erik Bray a écrit : > > Hi Emmanuel, > > On Tue, Oct 24, 2017 at 8:58 PM, Emmanuel Charpentier > wrote: > > Similarly, I am still in the dark about the ability of our Cygwin port > to > > ensure the availability of the

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 25 octobre 2017 11:42:32 UTC+2, Erik Bray a écrit : > > On Wed, Oct 25, 2017 at 12:08 AM, Eric Gourgoulhon > wrote: > > Thanks Emmanuel for the discussion summary. > > > > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : > >> > >>

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 25 octobre 2017 10:41:15 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-25 00:08, Eric Gourgoulhon wrote: > > I have the feeling that the current tendency is towards a more modular > > and lighter Sage, which deviates from the original "batteries included" > > philosophy. > > I

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wed, Oct 25, 2017 at 3:56 AM, William Stein wrote: > > On Tue, Oct 24, 2017 at 3:08 PM Eric Gourgoulhon > wrote: >> >> Thanks Emmanuel for the discussion summary. >> >> >> Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : >>> >>>

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

(Sorry for the multiple replies--there are just a lot of disparate issues touched on in this message that I think would be confusing to reply to all at once). On Tue, Oct 24, 2017 at 8:58 PM, Emmanuel Charpentier wrote: > This point of view is of course

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Hi Emmanuel, On Tue, Oct 24, 2017 at 8:58 PM, Emmanuel Charpentier wrote: > Similarly, I am still in the dark about the ability of our Cygwin port to > ensure the availability of the Cygwin-ported OpenSSL library and development > files. Again, Erik's expertise

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wed, Oct 25, 2017 at 12:08 AM, Eric Gourgoulhon wrote: > Thanks Emmanuel for the discussion summary. > > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : >> >> >> It is true. But we are hoisted by our own petard : from our tutorial : >> "The Sage

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-25 00:08, Eric Gourgoulhon wrote: I have the feeling that the current tendency is towards a more modular and lighter Sage, which deviates from the original "batteries included" philosophy. I would like to keep "batteries OPTIONALLY included". This means: use system software if

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Hi, Le 25/10/2017 à 00:08, Eric Gourgoulhon a écrit : > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : > > > It is true. But we are hoisted by our own petard : from our tutorial > : > "The Sage

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Tue, Oct 24, 2017 at 3:08 PM Eric Gourgoulhon wrote: > Thanks Emmanuel for the discussion summary. > > > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : >> >> >> It is true. But we are hoisted by our own petard : from our tutorial >>

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Thanks Emmanuel for the discussion summary. Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : > > > It is true. But we are hoisted by our own petard : from our tutorial > : > "The Sage download file comes with

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 24 October 2017 at 15:51, Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote: > Final tally > > Yes, we should fully support OpenSSL now, and clarify the licensing issue > : 9 unambiguous votes : > > > > No, we should wait until OpenSSL finishes fixing their license situation >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mardi 24 octobre 2017 21:34:18 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-24 20:58, Emmanuel Charpentier wrote: > > A non-communicating R in Sage can be very useful if you are not using R > > in Sage at all > > I just meant to say that if you don't use R, then it's fine to have a >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-24 20:58, Emmanuel Charpentier wrote: A non-communicating R in Sage can be very useful if you are not using R in Sage at all I just meant to say that if you don't use R, then it's fine to have a non-communicating R. I admit that the wording was a bit cryptic. -- You received this

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

*Abstract of discussions* In this mammooth of a thread (11 post so far) in answer to call for vote, there have been a lot of interesting remarks and discussions. They have touched various domains, and are difficult to summarize easily. I have chosen to group these reactions by theme, and to

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Final tally While I wasn't able to retrieve Eroik's message where he changed his vote, his request is consistent with his remarls. Hence the final tally : Yes, we should fully support OpenSSL now, and clarify the licensing issue : 9 unambiguous votes : Dima Pasechnik

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 6:31 PM, Dima Pasechnik wrote: > There are various https-only software repos, not only Python or R-relayed. > IIRC kernel.org is one of them. Without SSL headers one cannot build tools to > access such repos; e.g. there are no such headers in Xcode. >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

There are various https-only software repos, not only Python or R-relayed. IIRC kernel.org is one of them. Without SSL headers one cannot build tools to access such repos; e.g. there are no such headers in Xcode. One may keep repeating "optional" etc mantras, but it does not make

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 4:16 PM, Nathan Dunfield wrote: > On Monday, October 23, 2017 at 7:32:03 AM UTC-5, Erik Bray wrote: >> >> > I also balk at the idea of shipping a crippled pip. >> >> It's not crippled if you don't need it to install from HTTPS which not >> everyone

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

By the way, on OS X, an SSL-enabled curl is installed along with Xcode, so if we use that in Sage, I wonder if R will work with full functionality. (See #24081.) If so, OpenSSL would only be "needed" for Sage's pip. John On Monday, October 23, 2017 at 9:05:16 AM UTC-7, Erik Bray wrote: > >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 5:15 PM, Emmanuel Charpentier wrote: > >> >> Other participants to discussion, which did not formally vote, or "threw >> their vote away" ((C) Michael Orlitzky) in favor of another option : 10 >> people > > > No : make that 7 people... > >>

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

> > Other participants to discussion, which did not formally vote, or "threw > their vote away" ((C) Michael Orlitzky) in favor of another option : 10 > people > No : make that 7 people... > David Joyner > Michael Orlitzky > Nicolas M Thiéry > Dr David Kirby > Thierry

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Vote tally Each vote is linked (via google groups) to the last expression of the vote. Yes, we should fully support OpenSSL now, and clarify the licensing issue : 11 unambiguous votes : Erik Bray Dima Pasechnik

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Monday, October 23, 2017 at 7:32:03 AM UTC-5, Erik Bray wrote: > > > I also balk at the idea of shipping a crippled pip. > > It's not crippled if you don't need it to install from HTTPS which not > everyone does. > I agree with Emmanuel that providing "pip" without HTTPS is shipping a

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Vote is closed. A tally of the vote should follow more or less quickly (I have about a hundredth of message to review...). A tally of the comments will take longer. Expect it at the start of a new thread. -- Emmanuel Charpentier -- You received this message because you are subscribed to the

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le lundi 23 octobre 2017 15:44:09 UTC+2, Erik Bray a écrit : > > On Mon, Oct 23, 2017 at 3:28 PM, Emmanuel Charpentier > wrote: > >> It should be possible to disable the requirement at > >> configure time and fallback to a different default. It's a shame we > >>

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le 23/10/2017 à 15:40, Emmanuel Charpentier a écrit : > BTW : the vote closes in about 20 minutes. This is your last chance to > take back any "too hasty" votes. My vote: no openSSL now - wait until the license issues are solved Snark on #sagemath -- You received this message because you are

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 3:28 PM, Emmanuel Charpentier wrote: >> It should be possible to disable the requirement at >> configure time and fallback to a different default. It's a shame we >> require a patch for this for now but I can help push for an upstream >> fix

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

My vote : |X| Yes, we should fully support OpenSSL now, and clarify the licensing issue. BTW : the vote closes in about 20 minutes. This is your last chance to take back any "too hasty" votes. -- Emmanuel Charpentier -- You received this message because you are subscribed to the Google

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 3:19 PM, Emmanuel Charpentier wrote: > > > Le lundi 23 octobre 2017 14:32:03 UTC+2, Erik Bray a écrit : >> >> On Mon, Oct 23, 2017 at 12:27 PM, Emmanuel Charpentier >> wrote: >> > >> > >> > Le lundi 23 octobre 2017

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le lundi 23 octobre 2017 14:43:18 UTC+2, Erik Bray a écrit : > > On Mon, Oct 23, 2017 at 2:31 PM, Erik Bray > wrote: > > The same should be true for R, > > and if this is not the case (and I'm not convinced it isn't) > > This part I take back. I see now that in R's

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le lundi 23 octobre 2017 14:32:03 UTC+2, Erik Bray a écrit : > > On Mon, Oct 23, 2017 at 12:27 PM, Emmanuel Charpentier > wrote: > > > > > > Le lundi 23 octobre 2017 12:17:06 UTC+2, Erik Bray a écrit : > >> > >> On Mon, Oct 23, 2017 at 11:57 AM, Emmanuel

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 2:31 PM, Erik Bray wrote: > The same should be true for R, > and if this is not the case (and I'm not convinced it isn't) This part I take back. I see now that in R's configure it really does refuse to proceed if it doesn't find the right libcurl

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 12:27 PM, Emmanuel Charpentier wrote: > > > Le lundi 23 octobre 2017 12:17:06 UTC+2, Erik Bray a écrit : >> >> On Mon, Oct 23, 2017 at 11:57 AM, Emmanuel Charpentier >> wrote: >> > Dear Erik, >> > >> > Le lundi 23

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le lundi 23 octobre 2017 12:17:06 UTC+2, Erik Bray a écrit : > > On Mon, Oct 23, 2017 at 11:57 AM, Emmanuel Charpentier > wrote: > > Dear Erik, > > > > Le lundi 23 octobre 2017 11:16:05 UTC+2, Erik Bray a écrit : > >> > >> On Thu, Oct 19, 2017 at 5:19 PM, Emmanuel

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Dear Jeroen Le lundi 23 octobre 2017 11:24:18 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-19 17:21, Emmanuel Charpentier wrote: > > I do not think that a > > non-communicating R is useful in Sage. > > A non-communicating R in Sage can be very useful if you are not using R > in Sage at all

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 11:57 AM, Emmanuel Charpentier wrote: > Dear Erik, > > Le lundi 23 octobre 2017 11:16:05 UTC+2, Erik Bray a écrit : >> >> On Thu, Oct 19, 2017 at 5:19 PM, Emmanuel Charpentier >> wrote: >> > Again : R is not only a

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Dear Erik, Le lundi 23 octobre 2017 11:16:05 UTC+2, Erik Bray a écrit : > > On Thu, Oct 19, 2017 at 5:19 PM, Emmanuel Charpentier > wrote: > > Again : R is not only a software package but also an ecosystem. The > 11638 > > (as of today) packages available to R users

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 11:28 AM, Erik Bray wrote: > On Mon, Oct 23, 2017 at 11:24 AM, Jeroen Demeyer > wrote: >> On 2017-10-19 17:21, Emmanuel Charpentier wrote: >>> >>> I do not think that a >>> non-communicating R is useful in Sage. >> >> >> A

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Mon, Oct 23, 2017 at 11:24 AM, Jeroen Demeyer wrote: > On 2017-10-19 17:21, Emmanuel Charpentier wrote: >> >> I do not think that a >> non-communicating R is useful in Sage. > > > A non-communicating R in Sage can be very useful if you are not using R in > Sage at all

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-19 17:21, Emmanuel Charpentier wrote: I do not think that a non-communicating R is useful in Sage. A non-communicating R in Sage can be very useful if you are not using R in Sage at all (which is very likely the vast majority of Sage users). -- You received this message because

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Fri, Oct 20, 2017 at 10:58 AM, Jeroen Demeyer wrote: > On 2017-10-19 20:07, Luca De Feo wrote: >> >> There you go for something crippled! https://shattered.io/ > > > I don't think that this is actually relevant. This attack would only work if > an attacker is able to

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Thu, Oct 19, 2017 at 10:56 PM, Thierry wrote: > Hi, > > On Thu, Oct 19, 2017 at 08:07:19PM +0200, Luca De Feo wrote: >> |X| Yes, we should fully support OpenSSL now, and clarify the >> licensing issue. >> >> > the way our >> > "package manager" works allows

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Thu, Oct 19, 2017 at 5:21 PM, Emmanuel Charpentier wrote: > > > Le mercredi 18 octobre 2017 20:36:47 UTC+2, Jeroen Demeyer a écrit : >> >> On 2017-10-18 19:02, Emmanuel Charpentier wrote: >> > This option commits us to maintain (unnecessary and dangerous, IMHO)

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Thu, Oct 19, 2017 at 5:19 PM, Emmanuel Charpentier wrote: > Again : R is not only a software package but also an ecosystem. The 11638 > (as of today) packages available to R users are a large part of R usefulness > to its users. So, "disabling downloads from

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le vendredi 20 octobre 2017 10:58:32 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-19 20:07, Luca De Feo wrote: > > There you go for something crippled! https://shattered.io/ > > I don't think that this is actually relevant. This attack would only > work if an attacker is able to provide a

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Sat, Oct 21, 2017 at 12:02 PM, Eric Gourgoulhon wrote: > Hi, > > Having read the discussion, I would add a big +1 to what Thierry proposes in > https://groups.google.com/d/msg/sage-devel/fE45025Wphs/FheYtjBWAAAJ > > So I guess that in terms of vote this means > > |X|

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le vendredi 20 octobre 2017 10:51:17 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-19 17:19, Emmanuel Charpentier wrote: > > Again : R is not only a software package but also an ecosystem. > > But why? One could say the same for Python, but you can still install > Python without OpenSSL. >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le vendredi 20 octobre 2017 10:49:40 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-19 17:24, William Stein wrote: > > Good, as well they should. Like you, they likely feel a responsibility > > to their users to do the right thing regarding security. I really > > appreciate the "so much

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Hi, Having read the discussion, I would add a big +1 to what Thierry proposes in https://groups.google.com/d/msg/sage-devel/fE45025Wphs/FheYtjBWAAAJ So I guess that in terms of vote this means |X| Yes, we should fully support OpenSSL now, and clarify the licensing issue. BUT following

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

In fact, John pointed out that I am wrong; while openssl is supported by Xcode binaries, there are no headers available! (it used to be the case that they were present in some hidden directories, but this seems to be not true any more) On Friday, October 20, 2017 at 7:20:17 PM UTC+1, kcrisman

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Thursday, October 19, 2017 at 6:29:46 PM UTC-4, John H Palmieri wrote: > > > > On Thursday, October 19, 2017 at 2:17:10 PM UTC-7, Dima Pasechnik wrote: >> >> the 1-click openssl install image for OSX is called Xcode, and one can go >> for a long lunch while waiting for it to finish, even on

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wednesday, 18 October 2017 18:23:53 UTC+2, Thierry (sage-googlesucks@xxx) wrote: > > Hi, > > the dichotomy of the vote is not clear to me. > > I am -1 to make openssl a stantard package (hence shipped with the source > tarball), not only regarding licensing issues but also for security >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

> That is totally not what I said. We don't care about collision resistance, > but we still need preimage resistance. That is still fine for SHA1 (even MD5 > as far as I know). If that's your point, an attacker can produce two colliding packages: a perfectly sound mathematical package and a

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Friday, October 20, 2017 at 10:13:54 AM UTC+1, Jeroen Demeyer wrote: > > On 2017-10-20 10:54, Dima Pasechnik wrote: > > Once upon a time, http was not universally supported, one needed to use > > ftp instead. > > You misunderstood my point. It is not about http vs. https. > > What bothers

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-20 11:32, Luca De Feo wrote: So according to your point checking the SHA1 is useless, because attackers are not able to get malicious source tarballs accepted by SageMath. That is totally not what I said. We don't care about collision resistance, but we still need preimage

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

>> There you go for something crippled! https://shattered.io/ > > > I don't think that this is actually relevant. This attack would only work if > an attacker is able to provide a specially manufactured source tarball and > get it accepted by SageMath. At that point, the attacker could instead

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-20 10:54, Dima Pasechnik wrote: Once upon a time, http was not universally supported, one needed to use ftp instead. You misunderstood my point. It is not about http vs. https. What bothers me is that "downloading packages from CRAN" is considered so important by R that it refuses

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-19 20:07, Luca De Feo wrote: There you go for something crippled! https://shattered.io/ I don't think that this is actually relevant. This attack would only work if an attacker is able to provide a specially manufactured source tarball and get it accepted by SageMath. At that

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Friday, October 20, 2017 at 9:51:17 AM UTC+1, Jeroen Demeyer wrote: > > On 2017-10-19 17:19, Emmanuel Charpentier wrote: > > Again : R is not only a software package but also an ecosystem. > > But why? One could say the same for Python, but you can still install > Python without OpenSSL.

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-19 17:19, Emmanuel Charpentier wrote: Again : R is not only a software package but also an ecosystem. But why? One could say the same for Python, but you can still install Python without OpenSSL. What if I simply want to use R without any external packages? Or what if I want to

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-19 17:24, William Stein wrote: Good, as well they should. Like you, they likely feel a responsibility to their users to do the right thing regarding security. I really appreciate the "so much trouble" you are "causing" Emmanuel. I also agree here. The only options should be "use

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Thursday, October 19, 2017 at 2:17:10 PM UTC-7, Dima Pasechnik wrote: > > the 1-click openssl install image for OSX is called Xcode, and one can go > for a long lunch while waiting for it to finish, even on a fast network... > > Apple should pick up the bill for these lunches, and much more,

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

the 1-click openssl install image for OSX is called Xcode, and one can go for a long lunch while waiting for it to finish, even on a fast network... Apple should pick up the bill for these lunches, and much more, I fully agree. -- You received this message because you are subscribed to the

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Hi, On Thu, Oct 19, 2017 at 08:07:19PM +0200, Luca De Feo wrote: > |X| Yes, we should fully support OpenSSL now, and clarify the > licensing issue. > > > the way our > > "package manager" works allows to install an optional package without > > having to rely on openssl (no https), we only

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

|X| Yes, we should fully support OpenSSL now, and clarify the licensing issue. > the way our > "package manager" works allows to install an optional package without > having to rely on openssl (no https), we only rely on the computation of > sha1 There you go for something crippled!

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Thu, Oct 19, 2017 at 8:19 AM Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote: > Dear Erik > > Le jeudi 19 octobre 2017 09:19:00 UTC+2, Erik Bray a écrit : > >> On Wed, Oct 18, 2017 at 8:36 PM, Jeroen Demeyer >> wrote: >> > On 2017-10-18 19:02, Emmanuel

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 18 octobre 2017 20:36:47 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-18 19:02, Emmanuel Charpentier wrote: > > This option commits us to maintain (unnecessary and dangerous, IMHO) > > Sage-specifc SSL patches at least in R, Python and pip > > Really? Which Sage-specific SSL

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Dear Erik Le jeudi 19 octobre 2017 09:19:00 UTC+2, Erik Bray a écrit : > > On Wed, Oct 18, 2017 at 8:36 PM, Jeroen Demeyer > wrote: > > On 2017-10-18 19:02, Emmanuel Charpentier wrote: > >> > >> This option commits us to maintain (unnecessary and dangerous, IMHO) >

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

OK. Unless you correct me, I'll tally your vote as : |X| No, we should wait until OpenSSL finishes fixing their license situation formally. -- Emmanuel Charpentier Le jeudi 19 octobre 2017 09:26:46 UTC+2, Ralf Stephan a écrit : > > After the previous comments I'd like to change my vote from Yes

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Dear Jeroen, Unless you correct me, I'll tally your vote as |X| No, we should wait until OpenSSL finishes fixing their license situation formally. -- Emmanuel Charpentier Le mercredi 18 octobre 2017 11:10:38 UTC+2, Jeroen Demeyer a écrit : > > First of all, I think that your email is unfair

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Thu, Oct 19, 2017 at 3:49 PM, kcrisman wrote: > >> > For what it is worth, I strongly agree with everything you write above. >> > +1 >> >> Also +1 with some quibbles about section (agree with in >> principle, but in tone or nuance). >> > > perhaps didn't they find the

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

> > For what it is worth, I strongly agree with everything you write above. > +1 > > Also +1 with some quibbles about section (agree with in > principle, but in tone or nuance). > > perhaps didn't they find the openssl one-click installer right in the middle of the screen yet. That

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

After the previous comments I'd like to change my vote from Yes to |X| No Regards, -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wed, Oct 18, 2017 at 8:36 PM, Jeroen Demeyer wrote: > On 2017-10-18 19:02, Emmanuel Charpentier wrote: >> >> This option commits us to maintain (unnecessary and dangerous, IMHO) >> Sage-specifc SSL patches at least in R, Python and pip > > > Really? Which Sage-specific

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-18 19:02, Emmanuel Charpentier wrote: This option commits us to maintain (unnecessary and dangerous, IMHO) Sage-specifc SSL patches at least in R, Python and pip Really? Which Sage-specific SSL patches does this require in Python and pip? It seems to me that R is the only package

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wed, Oct 18, 2017 at 6:37 PM, William Stein wrote: > > On Wed, Oct 18, 2017 at 9:23 AM Thierry > wrote: >> >> Hi, >> >> the dichotomy of the vote is not clear to me. >> >> I am -1 to make openssl a stantard package (hence shipped with the

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Dear Thierry, Le mercredi 18 octobre 2017 18:23:53 UTC+2, Thierry (sage-googlesucks@xxx) a écrit : > > Hi, > > the dichotomy of the vote is not clear to me. > > I am -1 to make openssl a stantard package (hence shipped with the source > tarball), not only regarding licensing issues but also

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wed, Oct 18, 2017 at 9:23 AM Thierry wrote: > Hi, > > the dichotomy of the vote is not clear to me. > > I am -1 to make openssl a stantard package (hence shipped with the source > tarball), not only regarding licensing issues but also for security > reasons:

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Hi, the dichotomy of the vote is not clear to me. I am -1 to make openssl a stantard package (hence shipped with the source tarball), not only regarding licensing issues but also for security reasons: our "package manager" is such that packages can not be updated unless Sage itself is updated

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 18 octobre 2017 15:37:13 UTC+2, Dr. David Kirkby (Kirkby Microwave Ltd) a écrit : > > On 18 October 2017 at 14:13, Erik Bray > wrote: > >> On Wed, Oct 18, 2017 at 11:52 AM, Dr. David Kirkby (Kirkby Microwave >> Note: We're not talking about adding *any* OpenSSL

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 18 October 2017 at 14:13, Erik Bray wrote: > On Wed, Oct 18, 2017 at 11:52 AM, Dr. David Kirkby (Kirkby Microwave > Note: We're not talking about adding *any* OpenSSL code to SageMath. > Sage would never be distributed with code from OpenSSL. We're only > talking about

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wed, Oct 18, 2017 at 11:52 AM, Dr. David Kirkby (Kirkby Microwave Ltd) wrote: > On 18 Oct 2017 00:39, "William Stein" wrote: >> >> >> On Tue, Oct 17, 2017 at 4:35 PM Dr. David Kirkby (Kirkby Microwave Ltd) >>

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-18 01:38, William Stein wrote: Absolutely not. That's not how security software works (and would be insulting to the OpenSSL developers). You are **epically** understimating what OpenSSL is and does. +1 Implementing crypto in practice is very different from implementing a toy

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 18 octobre 2017 11:52:47 UTC+2, Dr. David Kirkby (Kirkby Microwave Ltd) a écrit : > > On 18 Oct 2017 00:39, "William Stein" > wrote: > > > > > > On Tue, Oct 17, 2017 at 4:35 PM Dr. David Kirkby (Kirkby Microwave Ltd) < > drki...@kirkbymicrowave.co.uk > wrote: >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 18 Oct 2017 00:39, "William Stein" wrote: > > > On Tue, Oct 17, 2017 at 4:35 PM Dr. David Kirkby (Kirkby Microwave Ltd) < drkir...@kirkbymicrowave.co.uk> wrote: >> There are a lot of number theorists using Sagemath. Could one or more consider implementing the functionality

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wednesday, 18 October 2017 03:35:15 UTC+2, Michael Orlitzky wrote: > > On 10/17/2017 08:42 PM, Maarten Derickx wrote: > > > > What makes you think their process is dubious? They are reaching out for > > consent from all people who have contributed, and they have removed the > > code from

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 18 octobre 2017 10:58:28 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-18 03:08, William Stein wrote: > > (a) using a broken version of the Python/R/Sage stack that exposes > > them to installing malware > > Is that really the case? I think pip is actually fail-safe in the

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 18 octobre 2017 10:58:28 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-18 03:08, William Stein wrote: > > (a) using a broken version of the Python/R/Sage stack that exposes > > them to installing malware > > Is that really the case? I think pip is actually fail-safe in the sense

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

I think the elaboration part of the "Yes" option was not very carefully worded, this is what Michael pointed out. We cannot HOST OpenSSL source (this is illegal with its present license), but nothing prevents us from providing means to install it legally. To be on a safe side with binary

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 18 octobre 2017 10:51:21 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-18 03:08, William Stein wrote: > > The choice for users installing the Sage binary is between: > > So you are worried about *binaries*? Are there any distros that we ship > binaries for that *don't* have a

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

First of all, I think that your email is unfair because it presents the "Yes" option as something that we could just easily do. However, as mentioned in another post in this thread, the "Yes" option might actually be illegal. So my vote is "No". -- You received this message because you are

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wednesday, October 18, 2017 at 9:51:21 AM UTC+1, Jeroen Demeyer wrote: > > On 2017-10-18 03:08, William Stein wrote: > > The choice for users installing the Sage binary is between: > > So you are worried about *binaries*? Are there any distros that we ship > binaries for that *don't* have

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-18 03:08, William Stein wrote: (a) using a broken version of the Python/R/Sage stack that exposes them to installing malware Is that really the case? I think pip is actually fail-safe in the sense that it simply refuses to download if OpenSSL is not supported. So there is no

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-18 03:08, William Stein wrote: The choice for users installing the Sage binary is between: So you are worried about *binaries*? Are there any distros that we ship binaries for that *don't* have a systemwide OpenSSL installed by default? -- You received this message because you

[sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

First, to voice my opinion: [X] Require OpenSSL to be installed on the system. I really think that the Mac folks should resolve this and not require Sage to make awkward choices. As to the vote: |X| Yes, we should fully support OpenSSL now, and clarify the licensing issue. Regards, -- You

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Tue, Oct 17, 2017 at 6:41 PM Michael Orlitzky wrote: > On 10/17/2017 09:37 PM, William Stein wrote: > > > > The mail that they sent to contributors ended with, > > > > If we do not hear from you, we will assume that you have no > objection. > > > > That's

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 10/17/2017 09:37 PM, William Stein wrote: > > The mail that they sent to contributors ended with, > >   If we do not hear from you, we will assume that you have no objection. > > That's not the way it works, > > > Says who?   This is all about how things work legally, and the

  1   2   >