On Mon, Dec 13, 1999 at 10:08:52PM +0100, Rene G. Eberhard wrote:
> Please apologize this questions. It is definitely NOT personally!
> I do not doubt in your work!
Ok, I will try to not take it personally :-)
> > This patch was partly inspired by Ben Laurie in private communication.
>
> How's the procedure to integrate such a patch in OpenSSL? Lutz is not
> an official member of the OpenSSL dev group. Does the group trust in
> such patches? Furthermore the patch is stored on a public ftp server
> without any integrity check. Who does a review of this 70k patch
> and how is it tested?
I understant your comments, I want to through some DM 0.02 into it:
- There is (unfortunately) no "official" way to submit bug reports or patches
listed. There is openssl-bugs, which is however gated to openssl-dev...
- Hence I first sent things to Ben Laurie and discussed things with him during
the process. I picked Ben, because from the weekly state announcement:
o Ben is currently working on:
3. New TLS Ciphersuites.
- Just reporting the bug is useless. In OpenSource, its ok if you submit a
but report, its better to submit a patch.
- I have now PGP-signed the patches. I forgot to do so, because:
* It is my ftp server, I am its admin, I trust it :-)
* I do PGP-sign my Postfix/TLS patches. In the last year exactly 3 downloads
of PGP-signature files occured. Most people don't care about PGP-signatures.
To be fair, I also check them rather seldom.
- With regard to the review and commital process, Ben already commented.
Review should not be too hard, because even though the size is large,
most of is just one large piece.
Please first AUDIT Eric A. Youngs original version, then talk about mine :-)
It took me longer to reverse engineer the old function than rewriting it...
- Then AUDIT the complete OpenSSL package itself :-) Since I write software
using the OpenSSL library and the documentation (users/API) is ... thin,
I have to go directly to the code sometimes: I don't want to have to
audit it myself.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
