Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Wed, Apr 9, 2014 at 11:11 AM, Olaf Westrik wrote: > Simon, > > >> Don't underestimate the contribution of all the people who take >> responsibility for the software that runs as root, or exposed to the >> net, on your machines. It's something I have nightmares about. > > > I do hope that is not true and that you sleep well. > So much better to be rested and clear headed when coding :-) I sleep more soundly knowing simon works on dnsmasq full time these days. > > Olaf > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
Simon, Don't underestimate the contribution of all the people who take responsibility for the software that runs as root, or exposed to the net, on your machines. It's something I have nightmares about. I do hope that is not true and that you sleep well. So much better to be rested and clear headed when coding :-) Olaf ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Wed, Apr 9, 2014 at 10:29 AM, Simon Kelley wrote: > On 09/04/14 15:51, Dave Taht wrote: > >> >> My heart bleeds for the openssl folk and openssl derived application users >> right now. More investment into creating, maintaining and improving >> core crypto libraries is desperately needed to hold our civilization >> together. >> > > +1 > > Don't underestimate the contribution of all the people who take > responsibility for the software that runs as root, or exposed to the > net, on your machines. It's something I have nightmares about. +10. :empathy waves: In my case I merely have thousands of users dependent on the OS I create. I can't push an update to them, and can only update the most current version of the code to include support (which I did about 2 hours after the disclosure), and hope people on my mailing list are paying attention. millions or billions of users would suck harder. and I still have several internet facing machines left to fix, and certs to recreate and redistribute. I would have preferred the have spent my week doing something else. The financial cost in patching this hole is nearly incalculatable, and the cost of having had it, or leaving it unpatched, is nearly infinite. https://www.youtube.com/watch?v=_y36fG2Oba0 The cost of prevention is slight, in comparison. > > Simon. > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 09/04/14 15:51, Dave Taht wrote: > > My heart bleeds for the openssl folk and openssl derived application users > right now. More investment into creating, maintaining and improving > core crypto libraries is desperately needed to hold our civilization together. > +1 Don't underestimate the contribution of all the people who take responsibility for the software that runs as root, or exposed to the net, on your machines. It's something I have nightmares about. Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Wed, Apr 9, 2014 at 6:24 AM, /dev/rob0 wrote: > On Tue, Apr 01, 2014 at 11:54:28AM -0500, I wrote: > ^^ >> On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: >> > On 25/03/14 07:03 PM, sven falempin wrote: >> > > my concern of nettle vs openssl is the amount of review and >> > > testing nettle did get compared to something more widely(!) >> > > used openssl >> > >> > something being used a lot != something being good >> >> Absolutely true, but in the context of open source software, >> especially cryptographic software, more use also tends to mean >> more code review. > > April Fools! > > ;) My heart bleeds for the openssl folk and openssl derived application users right now. More investment into creating, maintaining and improving core crypto libraries is desperately needed to hold our civilization together. >> I'm not really qualified to judge here what is best; I can only >> point out what I, as a user, think about it. I'll trust Simon's >> judgment, but I hope he has considered these concerns. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 01, 2014 at 11:54:28AM -0500, I wrote: ^^ > On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: > > On 25/03/14 07:03 PM, sven falempin wrote: > > > my concern of nettle vs openssl is the amount of review and > > > testing nettle did get compared to something more widely(!) > > > used openssl > > > > something being used a lot != something being good > > Absolutely true, but in the context of open source software, > especially cryptographic software, more use also tends to mean > more code review. April Fools! ;) > I'm not really qualified to judge here what is best; I can only > point out what I, as a user, think about it. I'll trust Simon's > judgment, but I hope he has considered these concerns. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 01/04/14 19:14, Nathan Dorfman wrote: > With such superior understanding, shouldn't you be adding OpenSSL support > to dnsmasq yourself? That way you can deal with their byzantine API and the > resulting bugs, and Simon can instead do something actually worthwhile. > > But don't do that before the licensing issue has been resolved. The motive for moving from openSSL to (not openSSL) was largely about incompatible licenses. Delving into the git repo and finding the openSSL adapter code is the least of the problems. ... and if anyone is volunteering to do a code audit, can I ask they consider auditing the dnsmasq DNSSEC code, which is orders of magnitude less mature than either openSSL _or_ Nettle? Let's get our priorities right here. Simon. > > On Tue, Apr 1, 2014 at 2:07 PM, Brad Smith wrote: > >> On 01/04/14 2:02 PM, Nathan Dorfman wrote: >> >>> Maybe OpenSSL is the right choice anyway, I don't know. But, I thought >>> someone should speak up for nettle :) >>> >> >> speaking up for nettle means nothing when you don't understand the >> issue at hand. >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 01, 2014 at 10:45:44AM -0700, Dave Taht wrote: > And thus I enthusiastically support other OSes than linux, > other dns servers besides bind, and other crypto libraries > besides openssl. One named to rule them all One named to find them One named to bring them all And in the darkness BIND them. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
With such superior understanding, shouldn't you be adding OpenSSL support to dnsmasq yourself? That way you can deal with their byzantine API and the resulting bugs, and Simon can instead do something actually worthwhile. On Tue, Apr 1, 2014 at 2:07 PM, Brad Smith wrote: > On 01/04/14 2:02 PM, Nathan Dorfman wrote: > >> Maybe OpenSSL is the right choice anyway, I don't know. But, I thought >> someone should speak up for nettle :) >> > > speaking up for nettle means nothing when you don't understand the > issue at hand. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 01/04/14 2:02 PM, Nathan Dorfman wrote: Maybe OpenSSL is the right choice anyway, I don't know. But, I thought someone should speak up for nettle :) speaking up for nettle means nothing when you don't understand the issue at hand. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 1, 2014 at 12:54 PM, /dev/rob0 wrote: > a I can't speak to an actual code audit, but nettle isn't some third-rate clone. It's a mature, actively developed and (importantly) thoroughly documented project. If I were to undertake such an audit however, I would surely prefer to have to audit nettle rather than OpenSSL, as unlike the latter, nettle's code is quite readable and even easy on the eyes. Not to mention that there's much less code to begin with, as the library simply doesn't try to do everything OpenSSL does. From their introduction[1]: "Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a *simple* but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O." Maybe OpenSSL is the right choice anyway, I don't know. But, I thought someone should speak up for nettle :) -nd. [1] - http://www.lysator.liu.se/~nisse/nettle/nettle.html#Introduction ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 01/04/14 1:45 PM, Dave Taht wrote: On Tue, Apr 1, 2014 at 9:54 AM, /dev/rob0 wrote: On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: On 25/03/14 07:03 PM, sven falempin wrote: my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. I have not been tracking this conversation closely, but my own take on matters is that I'm opposed to a monoculture of anything... http://www.abc.net.au/news/2013-08-29/feature-banana/4922208 And thus I enthusiastically support other OSes than linux, other dns servers besides bind, and other crypto libraries besides openssl. I have no problem with not having a monoculture. But provide an option to support more than one crypto library. Don't assume what is good for OpenWRT and other embedded OS's is good for everyone else. That's making a really poor assumption. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 1, 2014 at 9:54 AM, /dev/rob0 wrote: > On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: >> On 25/03/14 07:03 PM, sven falempin wrote: >> > my concern of nettle vs openssl is the amount of review and >> > testing nettle did get compared to something more widely(!) >> > used >> >> something being used a lot != something being good > > Absolutely true, but in the context of open source software, > especially cryptographic software, more use also tends to mean > more code review. > > I'm not really qualified to judge here what is best; I can only > point out what I, as a user, think about it. I'll trust Simon's > judgment, but I hope he has considered these concerns. I have not been tracking this conversation closely, but my own take on matters is that I'm opposed to a monoculture of anything... http://www.abc.net.au/news/2013-08-29/feature-banana/4922208 And thus I enthusiastically support other OSes than linux, other dns servers besides bind, and other crypto libraries besides openssl. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: > On 25/03/14 07:03 PM, sven falempin wrote: > > my concern of nettle vs openssl is the amount of review and > > testing nettle did get compared to something more widely(!) > > used > > something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 26/03/14 09:16, Olaf Westrik wrote: > On 2014-03-25 23:22, Lonnie Abelbeck wrote: >> >> On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote: >>> >>> Do you want openSSL instead of Nettle? If so, why? >>> >>> Cheers, >>> >>> Simon. >> >> I would prefer OpenSSL support. >> >> As a developer for a cross-compiled x86 open source project (AstLinux) >> building and maintaining additional libraries (particularly crypto) is >> not ideal when so many packages already require OpenSSL. >> >> We also try to keep the "bloat" out as much as possible, our >> compressed images are around 40 MB in size. >> >> Your excellent dnsmasq is one of our core packages, it would be our >> preference if it also supported the time tested OpenSSL shared libraries. >> >> Obviously using Nettle is not a deal breaker, but I think OpenSSL vs. >> Nettle is a good discussion to have. > > > I happen to be in a similar position as Lonnie. > Since we use packages that use OpenSSL (Apache, OpenVPN, wget, Perl > SSLeay), we already ship the openssl libraries and not nettle. > > Surely the addition of nettle, statically linked if need be, is not > something that will double the size of our image. I am more concerned > with the addition of yet another software package that needs to be > monitored. > > > If the license issue can be solved, would it be an option to use either > nettle or openssl depending on something like make -DUSE_NETTLE or make > -DUSE_OPENSSL? > It's something I'd consider for a future release, but 2.69 needs to Out There soon, and that will certainly be Nettle only. As far as I'm concerned that's good, since if people want DNSSEC, they'll have to provide Nettle (statically linked, if preferred). We can take some time to see if openSSL can be made an alternative, but the nettle will have to be grasped fro 2.69. (Bad pun, sorry!) The licensing problem is real. I'm not the only copyright holder in dnsmasq, so even if I'm convinced, I'd need to try and identify and contact the other interested parties to modify the license. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
I happen to be in a similar position as Lonnie. Since we use packages that use OpenSSL (Apache, OpenVPN, wget, Perl SSLeay), we already ship the openssl libraries and not nettle. Sorry, forgot to list sshd. Olaf ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 26 Mar 2014 05:53, "Albert ARIBAUD" wrote: > > Le 26/03/2014 10:16, Olaf Westrik a écrit : > >> On 2014-03-25 23:22, Lonnie Abelbeck wrote: >>> >>> >>> On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote: Do you want openSSL instead of Nettle? If so, why? Cheers, Simon. >>> >>> >>> I would prefer OpenSSL support. >>> >>> As a developer for a cross-compiled x86 open source project (AstLinux) >>> building and maintaining additional libraries (particularly crypto) is >>> not ideal when so many packages already require OpenSSL. >>> >>> We also try to keep the "bloat" out as much as possible, our >>> compressed images are around 40 MB in size. >>> >>> Your excellent dnsmasq is one of our core packages, it would be our >>> preference if it also supported the time tested OpenSSL shared libraries. >>> >>> Obviously using Nettle is not a deal breaker, but I think OpenSSL vs. >>> Nettle is a good discussion to have. >> >> >> >> I happen to be in a similar position as Lonnie. >> Since we use packages that use OpenSSL (Apache, OpenVPN, wget, Perl >> SSLeay), we already ship the openssl libraries and not nettle. >> >> Surely the addition of nettle, statically linked if need be, is not >> something that will double the size of our image. I am more concerned >> with the addition of yet another software package that needs to be >> monitored. >> >> >> If the license issue can be solved, would it be an option to use either >> nettle or openssl depending on something like make -DUSE_NETTLE or make >> -DUSE_OPENSSL? > > > Seconded (albeit not as a packager, but as an end user occasionally building dnsmasq), except I would prefer something along the lines of -DCRYPTOLIB=OPENSSL / -DCRYPTOLIB=NETTLE. > >> Olaf > > > Amicalement, > -- > Albert. Devs don't use openssl because they want to, they use it because they have too. The library is an absolute clusterfuck. I'm fine with not working on openssl support. We need to as a community move away from openssl when ever possible. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
Le 26/03/2014 10:16, Olaf Westrik a écrit : On 2014-03-25 23:22, Lonnie Abelbeck wrote: On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote: Do you want openSSL instead of Nettle? If so, why? Cheers, Simon. I would prefer OpenSSL support. As a developer for a cross-compiled x86 open source project (AstLinux) building and maintaining additional libraries (particularly crypto) is not ideal when so many packages already require OpenSSL. We also try to keep the "bloat" out as much as possible, our compressed images are around 40 MB in size. Your excellent dnsmasq is one of our core packages, it would be our preference if it also supported the time tested OpenSSL shared libraries. Obviously using Nettle is not a deal breaker, but I think OpenSSL vs. Nettle is a good discussion to have. I happen to be in a similar position as Lonnie. Since we use packages that use OpenSSL (Apache, OpenVPN, wget, Perl SSLeay), we already ship the openssl libraries and not nettle. Surely the addition of nettle, statically linked if need be, is not something that will double the size of our image. I am more concerned with the addition of yet another software package that needs to be monitored. If the license issue can be solved, would it be an option to use either nettle or openssl depending on something like make -DUSE_NETTLE or make -DUSE_OPENSSL? Seconded (albeit not as a packager, but as an end user occasionally building dnsmasq), except I would prefer something along the lines of -DCRYPTOLIB=OPENSSL / -DCRYPTOLIB=NETTLE. Olaf Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 2014-03-25 23:22, Lonnie Abelbeck wrote: On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote: Do you want openSSL instead of Nettle? If so, why? Cheers, Simon. I would prefer OpenSSL support. As a developer for a cross-compiled x86 open source project (AstLinux) building and maintaining additional libraries (particularly crypto) is not ideal when so many packages already require OpenSSL. We also try to keep the "bloat" out as much as possible, our compressed images are around 40 MB in size. Your excellent dnsmasq is one of our core packages, it would be our preference if it also supported the time tested OpenSSL shared libraries. Obviously using Nettle is not a deal breaker, but I think OpenSSL vs. Nettle is a good discussion to have. I happen to be in a similar position as Lonnie. Since we use packages that use OpenSSL (Apache, OpenVPN, wget, Perl SSLeay), we already ship the openssl libraries and not nettle. Surely the addition of nettle, statically linked if need be, is not something that will double the size of our image. I am more concerned with the addition of yet another software package that needs to be monitored. If the license issue can be solved, would it be an option to use either nettle or openssl depending on something like make -DUSE_NETTLE or make -DUSE_OPENSSL? Olaf ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 25/03/14 07:03 PM, sven falempin wrote: > my concern of nettle vs openssl is the amount of review and testing > nettle did get compared to something more widely(!) used something being used a lot != something being good signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Mar 25, 2014 at 6:39 PM, Simon Kelley wrote: > On 25/03/14 22:22, Lonnie Abelbeck wrote: >> >> On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote: >> >>> On 25/03/14 21:25, Lonnie Abelbeck wrote: Is the decision to not support OpenSSL shared libraries a final decision, or is there a chance you may reconsider ? >>> >>> The very early DNSSEC code used openSSL, so it's possible. The >>> reason for the change (in no particular order) was 1) the API is >>> much nicer. 2) licensing considerations. >>> >>> I evaluated several possible libraries before choosing Nettle. >>> >>> One of the worries was bloat, especially in openWRT and similar >>> router distributions. The conclusion was that those typically don't >>> include openSSL anyway, they use things like dropbear, which has >>> it's own crypto. >>> >>> Note that whilst the a full shared installation of nettle and gmp >>> is large, the dnsmasq build system allows static linking, which >>> means that you get the small portion of the libraries which is >>> needed by dnsmasq, not the whole thing. When I last checked, >>> dnsmasq compiled with DNSSEC support and statically linked against >>> Nettle and stripped was 200k or so. That needs no extra disk space >>> for crypto libraries at all. 200k + libc gives you everything. >>> >>> >>> Conclusions from this: >>> >>> 1) It would be possible to use openSSL instead of Nettle. 2) To do >>> so, you'd have to convince me (and other copyright holders) to add >>> an openSSL exception to the dnsmasq license. I have a built-in >>> bias for GPL-licensed software. 3) There are no real resource >>> arguments for using openSSL instead of Nettle. >>> >>> Do you want openSSL instead of Nettle? If so, why? >>> >>> Cheers, >>> >>> Simon. >> >> I would prefer OpenSSL support. >> >> As a developer for a cross-compiled x86 open source project >> (AstLinux) building and maintaining additional libraries >> (particularly crypto) is not ideal when so many packages already >> require OpenSSL. >> >> We also try to keep the "bloat" out as much as possible, our >> compressed images are around 40 MB in size. >> >> Your excellent dnsmasq is one of our core packages, it would be our >> preference if it also supported the time tested OpenSSL shared >> libraries. >> >> Obviously using Nettle is not a deal breaker, but I think OpenSSL vs. >> Nettle is a good discussion to have. > > Indeed, I'm interested to hear opinions. > > In the meantime, if you build dnsmasq with > > make COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' then the crypto libaries > will be statically linked, and you don't need to dedicate space to a > shared installation of nettle and gmp which isn't actually used by > anything else. > > > Cheers, > > Simon. > > > > >> >> Thanks, Lonnie my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used -- - () ascii ribbon campaign - against html e-mail /\ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 25/03/14 22:22, Lonnie Abelbeck wrote: > > On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote: > >> On 25/03/14 21:25, Lonnie Abelbeck wrote: >>> >>> >>> Is the decision to not support OpenSSL shared libraries a final >>> decision, or is there a chance you may reconsider ? >>> >> >> The very early DNSSEC code used openSSL, so it's possible. The >> reason for the change (in no particular order) was 1) the API is >> much nicer. 2) licensing considerations. >> >> I evaluated several possible libraries before choosing Nettle. >> >> One of the worries was bloat, especially in openWRT and similar >> router distributions. The conclusion was that those typically don't >> include openSSL anyway, they use things like dropbear, which has >> it's own crypto. >> >> Note that whilst the a full shared installation of nettle and gmp >> is large, the dnsmasq build system allows static linking, which >> means that you get the small portion of the libraries which is >> needed by dnsmasq, not the whole thing. When I last checked, >> dnsmasq compiled with DNSSEC support and statically linked against >> Nettle and stripped was 200k or so. That needs no extra disk space >> for crypto libraries at all. 200k + libc gives you everything. >> >> >> Conclusions from this: >> >> 1) It would be possible to use openSSL instead of Nettle. 2) To do >> so, you'd have to convince me (and other copyright holders) to add >> an openSSL exception to the dnsmasq license. I have a built-in >> bias for GPL-licensed software. 3) There are no real resource >> arguments for using openSSL instead of Nettle. >> >> Do you want openSSL instead of Nettle? If so, why? >> >> Cheers, >> >> Simon. > > I would prefer OpenSSL support. > > As a developer for a cross-compiled x86 open source project > (AstLinux) building and maintaining additional libraries > (particularly crypto) is not ideal when so many packages already > require OpenSSL. > > We also try to keep the "bloat" out as much as possible, our > compressed images are around 40 MB in size. > > Your excellent dnsmasq is one of our core packages, it would be our > preference if it also supported the time tested OpenSSL shared > libraries. > > Obviously using Nettle is not a deal breaker, but I think OpenSSL vs. > Nettle is a good discussion to have. Indeed, I'm interested to hear opinions. In the meantime, if you build dnsmasq with make COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' then the crypto libaries will be statically linked, and you don't need to dedicate space to a shared installation of nettle and gmp which isn't actually used by anything else. Cheers, Simon. > > Thanks, Lonnie > > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote: > On 25/03/14 21:25, Lonnie Abelbeck wrote: >> >> >> Is the decision to not support OpenSSL shared libraries a final decision, or >> is there a chance you may reconsider ? >> > > The very early DNSSEC code used openSSL, so it's possible. The reason > for the change (in no particular order) was 1) the API is much nicer. 2) > licensing considerations. > > I evaluated several possible libraries before choosing Nettle. > > One of the worries was bloat, especially in openWRT and similar router > distributions. The conclusion was that those typically don't include > openSSL anyway, they use things like dropbear, which has it's own crypto. > > Note that whilst the a full shared installation of nettle and gmp is > large, the dnsmasq build system allows static linking, which means that > you get the small portion of the libraries which is needed by dnsmasq, > not the whole thing. When I last checked, dnsmasq compiled with DNSSEC > support and statically linked against Nettle and stripped was 200k or > so. That needs no extra disk space for crypto libraries at all. 200k + > libc gives you everything. > > > Conclusions from this: > > 1) It would be possible to use openSSL instead of Nettle. > 2) To do so, you'd have to convince me (and other copyright holders) to > add an openSSL exception to the dnsmasq license. I have a built-in bias > for GPL-licensed software. > 3) There are no real resource arguments for using openSSL instead of Nettle. > > Do you want openSSL instead of Nettle? If so, why? > > Cheers, > > Simon. I would prefer OpenSSL support. As a developer for a cross-compiled x86 open source project (AstLinux) building and maintaining additional libraries (particularly crypto) is not ideal when so many packages already require OpenSSL. We also try to keep the "bloat" out as much as possible, our compressed images are around 40 MB in size. Your excellent dnsmasq is one of our core packages, it would be our preference if it also supported the time tested OpenSSL shared libraries. Obviously using Nettle is not a deal breaker, but I think OpenSSL vs. Nettle is a good discussion to have. Thanks, Lonnie ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 25/03/14 05:52 PM, Simon Kelley wrote: > Do you want openSSL instead of Nettle? If so, why? Because it's quote-unquote more secure. signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 25/03/14 21:25, Lonnie Abelbeck wrote: > > > Is the decision to not support OpenSSL shared libraries a final decision, or > is there a chance you may reconsider ? > The very early DNSSEC code used openSSL, so it's possible. The reason for the change (in no particular order) was 1) the API is much nicer. 2) licensing considerations. I evaluated several possible libraries before choosing Nettle. One of the worries was bloat, especially in openWRT and similar router distributions. The conclusion was that those typically don't include openSSL anyway, they use things like dropbear, which has it's own crypto. Note that whilst the a full shared installation of nettle and gmp is large, the dnsmasq build system allows static linking, which means that you get the small portion of the libraries which is needed by dnsmasq, not the whole thing. When I last checked, dnsmasq compiled with DNSSEC support and statically linked against Nettle and stripped was 200k or so. That needs no extra disk space for crypto libraries at all. 200k + libc gives you everything. Conclusions from this: 1) It would be possible to use openSSL instead of Nettle. 2) To do so, you'd have to convince me (and other copyright holders) to add an openSSL exception to the dnsmasq license. I have a built-in bias for GPL-licensed software. 3) There are no real resource arguments for using openSSL instead of Nettle. Do you want openSSL instead of Nettle? If so, why? Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Mar 25, 2014, at 4:13 PM, Simon Kelley wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 25/03/14 14:43, Alex Xu wrote: >> I'm writing the Gentoo ebuild for dnsmasq 2.69rc1 >> (https://bugs.gentoo.org/show_bug.cgi?id=504154), and I was >> wondering if dnsmasq requires nettle and gmp, or actually >> nettle[gmp]. >> >> The latter builds nettle with --enable-public-key. >> > > > Probably the latter. Nettle yields two libraries, libnettle and > libhogweed. Libnettle has the symetric cyphers and hashes, and doesn't > depend on libgmp. Libhogweed has the public-key cyphers and does > depend on gmp. > > It sounds like nettle[gmp] is the libnettle and libhogweed version. > > dnsmasq needs both libnettle and libhogweed, and therefore also libgmp. > > Cheers, > > Simon. Is the decision to not support OpenSSL shared libraries a final decision, or is there a chance you may reconsider ? Lonnie ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/03/14 14:43, Alex Xu wrote: > I'm writing the Gentoo ebuild for dnsmasq 2.69rc1 > (https://bugs.gentoo.org/show_bug.cgi?id=504154), and I was > wondering if dnsmasq requires nettle and gmp, or actually > nettle[gmp]. > > The latter builds nettle with --enable-public-key. > Probably the latter. Nettle yields two libraries, libnettle and libhogweed. Libnettle has the symetric cyphers and hashes, and doesn't depend on libgmp. Libhogweed has the public-key cyphers and does depend on gmp. It sounds like nettle[gmp] is the libnettle and libhogweed version. dnsmasq needs both libnettle and libhogweed, and therefore also libgmp. Cheers, Simon. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMx8XQACgkQKPyGmiibgreiJQCfT0Mv5xogk7rnGC6go9UXUMYY d+wAnRTuKBI3O8jUb2hezEcaOaZ3YPPA =Jldh -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
I'm writing the Gentoo ebuild for dnsmasq 2.69rc1 (https://bugs.gentoo.org/show_bug.cgi?id=504154), and I was wondering if dnsmasq requires nettle and gmp, or actually nettle[gmp]. The latter builds nettle with --enable-public-key. signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
