On Tue, Oct 30, 2012 at 2:55 PM, Patrick Mylund Nielsen <cryptogra...@patrickmylund.com> wrote: > Hopefully somebody's doing some kind of integrity check pre-release no > matter where it's hosted... :) > > In either case, happy to help if it is manhours you need, and I'm sure > others on this list are as well.
I think what we need is both manhours and the hardware to run on (plus bandwidth, etc). > > On Tue, Oct 30, 2012 at 3:51 PM, Aaron Grattafiori > <aa...@digitalinfinity.net> wrote: >> >> Thank god... >> >> On Oct 30, 2012 7:50 AM, "Ben Laurie" <b...@links.org> wrote: >>> >>> On Tue, Oct 30, 2012 at 2:39 PM, Patrick Mylund Nielsen >>> <cryptogra...@patrickmylund.com> wrote: >>> > I would be happy to volunteer to move everything to Github. But it >>> > really is >>> > really, really easy to do, and the maintenance required is minimal. >>> > That or >>> > git+redmine or git+JIRA would be my suggestion. >>> >>> The team has ruled out having the master at github. >>> >>> > >>> > >>> > On Tue, Oct 30, 2012 at 3:28 PM, Ben Laurie <b...@links.org> wrote: >>> >> >>> >> On Tue, Oct 30, 2012 at 2:21 PM, Matthew Green >>> >> <matthewdgr...@gmail.com> >>> >> wrote: >>> >> > So: >>> >> > >>> >> > 1. What is the process by which you get OpenSSL contributors to >>> >> > notice a >>> >> > serious issue and apply a patch? >>> >> >>> >> I wouldn't know, I haven't tried :-) >>> >> >>> >> In my case, just ask (me, that is, not some mailing list). If the >>> >> issue is serious, I will likely apply the patch. >>> >> >>> >> > 2. What are the criteria for applying a patch? Is it just 'whatever >>> >> > interests the devs'? It seems that publishing an exploit works, but >>> >> > is that >>> >> > necessary? >>> >> >>> >> I think it can be taken as read that the devs are interested in the >>> >> security and stability of OpenSSL. >>> >> >>> >> > 3. It's 2012 -- why the **** is OpenSSL running its own ticket >>> >> > tracker >>> >> > and source control servers??? (RT is a disaster.) >>> >> >>> >> Damn good question. Probably because we don't have a volunteer to move >>> >> everything somewhere else and keep it running. >>> >> >>> >> > 4. What does it take to become an OpenSSL volunteer? >>> >> >>> >> :-) Like most (good) open source projects: sustained contribution. >>> >> >>> >> > >>> >> > Matt >>> >> > >>> >> > On Oct 30, 2012, at 10:12 AM, Ben Laurie <b...@links.org> wrote: >>> >> > >>> >> >> On Tue, Oct 30, 2012 at 11:58 AM, Jeffrey Walton >>> >> >> <noloa...@gmail.com> >>> >> >> wrote: >>> >> >>> On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie <b...@links.org> wrote: >>> >> >>>> On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton >>> >> >>>> <noloa...@gmail.com> >>> >> >>>> wrote: >>> >> >>>>> On Fri, Oct 26, 2012 at 2:29 PM, John Case <c...@sdf.org> wrote: >>> >> >>>>>> >>> >> >>>>>> [SNIP] >>> >> >>>> >>> >> >>>> Apparently you think the best way to get a secure platform is to >>> >> >>>> apply >>> >> >>>> pressure through pointless security standards. I'd suggest your >>> >> >>>> efforts might be better spent supplying patches instead. Or, >>> >> >>>> y'know, >>> >> >>>> talking to the authors of the s/w in question. You never know, >>> >> >>>> they >>> >> >>>> might care. >>> >> >>> Ah, OK. My bad. >>> >> >>> >>> >> >>> I've tried supplying patches and filing bug report/enhancement >>> >> >>> requests. >>> >> >>> >>> >> >>> Here was a gentle patch for spelling corrections in a README - >>> >> >>> rejected. >>> >> >>> >>> >> >>> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2401. >>> >> >> >>> >> >> AFAICS that is not rejected, it is ignored. There's a difference. >>> >> >> >>> >> >> Also, your patch appears to be reversed. Or your spelling is >>> >> >> terrible >>> >> >> :-) >>> >> >> >>> >> >>> Here was a patch for Xcode awareness - rejected (is it fair to say >>> >> >>> when its sites for years without acknowledgement?). >>> >> >>> >>> >> >>> >>> >> >>> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2402. >>> >> >> >>> >> >> Also not rejected. >>> >> >> >>> >> >> Now, I agree that having patches ignored isn't so great either, but >>> >> >> the problem is: >>> >> >> >>> >> >> * RT doesn't actually work, the guy who allegedly maintains our >>> >> >> infrastructure doesn't, and the team can't agree what to do about >>> >> >> it >>> >> >> (not that its tried very hard). >>> >> >> >>> >> >> * OpenSSL is mostly maintained by volunteers, who may not have felt >>> >> >> particularly inspired by your patches, or may just have missed >>> >> >> them. >>> >> >> >>> >> >> * When people are paid, they're generally paid to do specific >>> >> >> things, >>> >> >> not to trawl through RT (if they even could) looking for patches to >>> >> >> adopt. I'm sure someone could pay for that if they want to, though. >>> >> >> >>> >> >> * CVS is a shit tool, too, making it hard to deal with patches - >>> >> >> we've >>> >> >> even agreed as a team to move off it, but see above about >>> >> >> infrastructure :-) >>> >> >> >>> >> >>> I can't locate a bug report on the use of the uninitialized data. >>> >> >>> Perhaps I had the discussion on the developer's mailing list (I >>> >> >>> know >>> >> >>> I'm not imagining it, so my apologies). >>> >> >>> >>> >> >>> I am also aware that patches existed for some time for CCM mode, >>> >> >>> GCM >>> >> >>> mode, and SRP. In the case of GCM, IBM supplied the patches 5 or >>> >> >>> 10 >>> >> >>> years earlier. None were acted upon. >>> >> >> >>> >> >> It always amuses me when bigcorp pays to have a patch made, but >>> >> >> somehow manages to fail to understand that the guy applying the >>> >> >> patch >>> >> >> has to eat, too. Plus, ISTR the IP situation is none too clear on >>> >> >> all >>> >> >> of these. >>> >> >> >>> >> >> This reminds me of the first attempt to FIPSify OpenSSL, where >>> >> >> there >>> >> >> was zero budget for the developer - just money for test labs and >>> >> >> the >>> >> >> like ("what do you mean you want money to work on it? I thought it >>> >> >> was >>> >> >> free software!"). >>> >> >> >>> >> >>> The project does not appear to want outside help. If I am drawing >>> >> >>> the >>> >> >>> wrong conclusion, please forgive me. >>> >> >> >>> >> >> I'll grant you that your very small patches could be considered >>> >> >> help, >>> >> >> and it is a little unfortunate they they were ignored, but like I >>> >> >> say, >>> >> >> RT is a shit tool, at least as implemented at OpenSSL, as is CVS (I >>> >> >> notice you didn't supply the needed 4 patches, just a single one) >>> >> >> and >>> >> >> no-one's paying anyone to pick patches up from it, particularly. >>> >> >> >>> >> >> The rest of your "help" appears to be specifying flags you'd like >>> >> >> to >>> >> >> be used and expecting us to do the work for you. Which I actually >>> >> >> might, I find that kind of thing therapeutic, but you get my point. >>> >> >> >>> >> >> I think the project would welcome help - but it needs to be useful >>> >> >> help >>> >> >> :-) >>> >> >> _______________________________________________ >>> >> >> cryptography mailing list >>> >> >> cryptography@randombit.net >>> >> >> http://lists.randombit.net/mailman/listinfo/cryptography >>> >> > >>> >> _______________________________________________ >>> >> cryptography mailing list >>> >> cryptography@randombit.net >>> >> http://lists.randombit.net/mailman/listinfo/cryptography >>> > >>> > >>> _______________________________________________ >>> cryptography mailing list >>> cryptography@randombit.net >>> http://lists.randombit.net/mailman/listinfo/cryptography > > _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography