Re: [ANNOUNCE] OpenSSL 0.9.6g released
In message [EMAIL PROTECTED] on Sat, 10 Aug 2002 22:05:18 -0400, Thomas J. Hruska [EMAIL PROTECTED] said: For everyone concerned: I will comment on the binary builder proposals when I have more time than I have right now. The following need immediate commenting: shinelight One thing that makes distribution of binaries world-wide tricky is shinelight patents on some algorithms in some countries... That is, like it or shinelight not, something one has to look into and deal with. shinelight shinelight InnoSetup has the ability to create customized installations. I'd shinelight recommend changing OpenSSL to accept a configuration (INI) file for shinelight algorithm selection. That way multiple binaries won't have to be built and shinelight all countries can be supported (multiple configs will have to be created, shinelight but that shouldn't be too difficult and won't occupy much space). The trouble with such a scheme would be that the algorithm itself would still exist in the library, and can then potentially be used, just by a change in the INI file. Under those conditions, the algorithm is still there, even if not currently used (it's still usable, basically). There are fears that is enough to put you in trouble. Therefore, there are people who want to be able to physically remove the troublesome algorithms from the source, and build the library with the rest of it. No run-time INI file will help there... If it was that simple, we would already have done it a long time ago (that's my guess at least...). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.6g released
Richard wrote: The trouble with such a scheme would be that the algorithm itself would still exist in the library, and can then potentially be used, just by a change in the INI file. Under those conditions, the algorithm is still there, even if not currently used (it's still usable, basically). There are fears that is enough to put you in trouble. Therefore, there are people who want to be able to physically remove the troublesome algorithms from the source, and build the library with the rest of it. No run-time INI file will help there... If it was that simple, we would already have done it a long time ago (that's my guess at least...). This is correct. Simply shipping a binary with an implemented algorithm (even when not used) opens the distributor to patent infringement claims. Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCE] OpenSSL 0.9.6g released
I feel it was pretty appropriate. We upgraded to 0.9.6e when we saw the vuln. Now they can do a DOS instead of a Buffer Overflow correct? The consensus in my development team was that was much better to be able to crash the application that be able to obtain access to the box. The only bad thing you could say it the fact that our release date was the same day that g came out.. Oh well. :) - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aleksey Sanin Sent: Friday, August 09, 2002 9:53 PM To: [EMAIL PROTECTED] Subject: Re: [ANNOUNCE] OpenSSL 0.9.6g released The issue here is responsiveness yet maintaining stability and compilability in the releases. There should only have been _ONE_ release, not _THREE_. Please, raise your hands everyone who never was in the same situation! This is the life, move forward! Now OpenSSL team has a stable release and an expirience on how to deal with such situation. Cross your fingers and they will never do it again :) Aleksey Sanin BTW, thanks for creating patches and new release(s) soo quickly! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCE] OpenSSL 0.9.6g released
See how bad you can slaughter the english language when you don't have coffee? ;-) - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew T. Finnell Sent: Saturday, August 10, 2002 10:45 AM To: [EMAIL PROTECTED] Subject: RE: [ANNOUNCE] OpenSSL 0.9.6g released I feel it was pretty appropriate. We upgraded to 0.9.6e when we saw the vuln. Now they can do a DOS instead of a Buffer Overflow correct? The consensus in my development team was that was much better to be able to crash the application that be able to obtain access to the box. The only bad thing you could say it the fact that our release date was the same day that g came out.. Oh well. :) - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aleksey Sanin Sent: Friday, August 09, 2002 9:53 PM To: [EMAIL PROTECTED] Subject: Re: [ANNOUNCE] OpenSSL 0.9.6g released The issue here is responsiveness yet maintaining stability and compilability in the releases. There should only have been _ONE_ release, not _THREE_. Please, raise your hands everyone who never was in the same situation! This is the life, move forward! Now OpenSSL team has a stable release and an expirience on how to deal with such situation. Cross your fingers and they will never do it again :) Aleksey Sanin BTW, thanks for creating patches and new release(s) soo quickly! __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.6g released
Gregg Andrew [EMAIL PROTECTED]: That being said, are the fixes in 0.9.6g reliavant to upgrading 0.9.6e on unix/solaris platform, Unless you have already installed 0.9.6f, you may want to upgrade to 0.9.6g. Most problems are fixed in 0.9.6e, but there's at least a possibility of denial of service attacks (the code will call abort() instead of properly reporting an error). -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.6g released
At 02:40 AM 8/10/2002 +0200, Richard Levitte - VMS Whacker writeth:
In message [EMAIL PROTECTED] on
Fri, 09 Aug 2002 19:39:14 -0400, Thomas J. Hruska
[EMAIL PROTECTED] said:
So, the question comes back to you, in reference to 0.9.6{e,f,g}:
would you rather have us having waited a little more, and run the risk
of having your Apache+modd_ssl or Apache-SSL server (assuming you run
anything based on OpenSSL, otherwise you need to imagine yourself in
that position) cracked, or have your computer cracked because you ran
an OpenSSL-based client against an malicious server? From *that*
point of view, I think we acted in a responsible way.
Perhaps. I personally wouldn't have minded as much if the following
actions were taken:
1) The OpenSSL team receives notice of the security flaws in OpenSSL and
notifies via [ANNOUNCE] that they exist and schedule a fix release date.
2) The OpenSSL team then proceeds to fix the source.
3) Use [ANNOUNCE] to notify the lists that the latest CVS tree has fixes
for the security issues. This allows for people to make sure it works for
all platforms.
4) On the fix release date, announce the release. At most you would need
two updates, but this would allow for a couple days for people to make sure
it compiles cleanly.
OR
Forward me a notice of major CVS updates...
http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL
shinelight Personally, I wouldn't mind if the OpenSSL team just made
shinelight binaries for Windows.
Some time ago on this list, I asked for people willing to create
binaries of OpenSSL for different platforms, and make them public.
I'm willing! Well, for Win32 anyway:
http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL
(Same link as before)
I'd like to start developing a team for this extension, but first I need to
set up a system that everyone can work with. begSo, Windows lovers,
_please_ don't start bombarding me with requests to join yet./beg
We'd be happy to point at sites that would consistently do that. I
don't quite recall if there was any response, but sometimes I see
someone answering questions about binaries (the latest responded that
there are compiled DLLs available at the STunnel site).
I would love to see a complete install kit that installs OpenSSL on
Windows, just as any other piece of software. I do not have the
resources or the knowledge to do that myself, however, and I've no
idea if anyone else on the team does either.
I do: http://www.innosetup.com/
InnoSetup is what Shining Light Productions uses for scripted packaging for
automated distribution. There are multiple ways to access the scripting
engine. The favored method is the command-line iscc tool. InnoSetup has
its own language with very detailed help. It is also freeware and the
license allows for both commercial and non-commercial use.
One thing that makes distribution of binaries world-wide tricky is
patents on some algorithms in some countries... That is, like it or
not, something one has to look into and deal with.
InnoSetup has the ability to create customized installations. I'd
recommend changing OpenSSL to accept a configuration (INI) file for
algorithm selection. That way multiple binaries won't have to be built and
all countries can be supported (multiple configs will have to be created,
but that shouldn't be too difficult and won't occupy much space).
Hope this helps!
Thomas J. Hruska -- [EMAIL PROTECTED]
Shining Light Productions -- Meeting the needs of fellow programmers
http://www.shininglightpro.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCE] OpenSSL 0.9.6g released
At 08:55 PM 8/9/2002 -0400, Rich Salz writeth: Don't claim to support a platform if you don't intend on supporting it. You have a Win32 version...so support it - completely. Two points: First, You must be knew to this whole open source thing. Completely support? Come on, I'll betcha not even Shining Light Productions complete supports its products (i.e., what's Shining Light Productions completely supports its product line. That is an official stance and the Company does not back down on that claim. There are three different types of commercial products that are produced. Standard Edition is for developers, Enterprise Edition is for servers, and Custom Edition is for people who need the ability to issue PFRs (Priority Feature Requests - 24-72 hour turnaround times - hence the extra cost). All editions have the ability to issue FRs (Feature Requests - 3-4 week turnaround times...maybe less). The cost is not in the software, the cost is support for the software. doesn't enter into it. If you want opensource code to be better supported on your platform than (a) hire someone to do it, (b) do it yourself and feed changes back. I'll take 'a' and 'b' (hired myself)... http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL+Documenta tion :) Hope this helps! Thomas J. Hruska -- [EMAIL PROTECTED] Shining Light Productions -- Meeting the needs of fellow programmers http://www.shininglightpro.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCE] OpenSSL 0.9.6g released
The problem is not that the release was made, the problem is that it was improperly labelled. By not saying that it was beta-quality, people were misled. There is a significant portion of the community that either doesn't have the skill or the inclination to deal with beta-quality software. The intent of not labelling the e, f, and g releases as beta was to have them widely distributed. However the opposite effect is happening as people will now be suspicious of the quality and will simply wait to see how things shake out. --- Jeffrey Altman [EMAIL PROTECTED] wrote: At 09:40 AM 8/9/2002 -0400, Gregg Andrew writeth: OK so is version 0.9.6e that I just compiled with Apache-2.0.39 any good? It was my understanding that all known security issues were addressed and fixed in 0.9.6e version, is this still true? I'm running on Solaris 8. Thanks Gregg Andrew I'm just going to wait for them to get their act together and release an official _STABLE_ release before I go and get the latest and greatest. Sure there might be some issues in the current stable version, but from what I'm seeing, they are putting out fixes without testing every platform. Given that the Windows platform is barely supported by the OpenSSL community, it is insane to constantly try the new updates only to find they don't compile or something else is wrong with them. Hope this helps! Actually it doesn't. The OpenSSL team is not capable of testing by themselves all of the platforms on which their code is used. That requires the help of the user community. Unfortunately, when they are trying to get out an emergency fix to close a security hole that can be used to compromise the integrity of any application or service that uses OpenSSL on any operating system it is a bit hard to have a two week public beta test. The OpenSSL team did what they felt was necessary and get a series of patches out for all versions of OpenSSL going back at least five years that when applied would alter the result of potential attacks by turning attacks into a denial of service rather than a system compromise. Granted, the applied patches did not work on some systems when used with shared libraries (Windows, VMS) but the greater community responded within several hours with: . a fix to the exports to allow the fix to be built on Windows . an analysis of the denial of service problem outlining the path to removing it entirely while still closing the security holes . a series of patches that removed the denial of service attack these were then integrated into OpenSSL snapshots the next day. These were released yesterday with several more fixes as 0.9.6f. Because it is addressing a pressing security concern there was no public beta and it was deemed necessary to get the build out right away before more companies shipped products incorporating the denial of service. There was a minor build problem on some systems, therefore 0.9.6g was announced today. I think the OpenSSL team and the community should be congradulated for their response to this problem. I only hope that vendors will be a quick to integrate these fixes into their products so as to avoid significant use of these holes for destructive purposes. - Jeff Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCE] OpenSSL 0.9.6g released
If you do not have the skill to deal with a missing export in a DLL, you do not have the skill to be working with security code. The problem is not that the release was made, the problem is that it was improperly labelled. By not saying that it was beta-quality, people were misled. There is a significant portion of the community that either doesn't have the skill or the inclination to deal with beta-quality software. The intent of not labelling the e, f, and g releases as beta was to have them widely distributed. However the opposite effect is happening as people will now be suspicious of the quality and will simply wait to see how things shake out. --- Jeffrey Altman [EMAIL PROTECTED] wrote: At 09:40 AM 8/9/2002 -0400, Gregg Andrew writeth: OK so is version 0.9.6e that I just compiled with Apache-2.0.39 any good? It was my understanding that all known security issues were addressed and fixed in 0.9.6e version, is this still true? I'm running on Solaris 8. Thanks Gregg Andrew I'm just going to wait for them to get their act together and release an official _STABLE_ release before I go and get the latest and greatest. Sure there might be some issues in the current stable version, but from what I'm seeing, they are putting out fixes without testing every platform. Given that the Windows platform is barely supported by the OpenSSL community, it is insane to constantly try the new updates only to find they don't compile or something else is wrong with them. Hope this helps! Actually it doesn't. The OpenSSL team is not capable of testing by themselves all of the platforms on which their code is used. That requires the help of the user community. Unfortunately, when they are trying to get out an emergency fix to close a security hole that can be used to compromise the integrity of any application or service that uses OpenSSL on any operating system it is a bit hard to have a two week public beta test. The OpenSSL team did what they felt was necessary and get a series of patches out for all versions of OpenSSL going back at least five years that when applied would alter the result of potential attacks by turning attacks into a denial of service rather than a system compromise. Granted, the applied patches did not work on some systems when used with shared libraries (Windows, VMS) but the greater community responded within several hours with: . a fix to the exports to allow the fix to be built on Windows . an analysis of the denial of service problem outlining the path to removing it entirely while still closing the security holes . a series of patches that removed the denial of service attack these were then integrated into OpenSSL snapshots the next day. These were released yesterday with several more fixes as 0.9.6f. Because it is addressing a pressing security concern there was no public beta and it was deemed necessary to get the build out right away before more companies shipped products incorporating the denial of service. There was a minor build problem on some systems, therefore 0.9.6g was announced today. I think the OpenSSL team and the community should be congradulated for their response to this problem. I only hope that vendors will be a quick to integrate these fixes into their products so as to avoid significant use of these holes for destructive purposes. - Jeff Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated
Re: [ANNOUNCE] OpenSSL 0.9.6g released
In message [EMAIL PROTECTED] on Fri, 9 Aug 2002 13:52:41 -0700 (PDT), Xperex Tim [EMAIL PROTECTED] said: xperextim The problem is not that the release was made, the problem is that xperextim it was improperly labelled. By not saying that it was beta-quality, xperextim people were misled. There is a significant portion of the community xperextim that either doesn't have the skill or the inclination to deal with xperextim beta-quality software. xperextim xperextim The intent of not labelling the e, f, and g releases as beta was to xperextim have them widely distributed. However the opposite effect is xperextim happening as people will now be suspicious of the quality and will xperextim simply wait to see how things shake out. Yes, I agree, the testing was clumsy. When I distributed 0.9.6f, I was under the (incorrect) impression that the 0.9.6 snapshots had been tested by some people, and that the possible bugs had been corrected. The 0.9.6e release had the problems that Jeffrey mentioned. Heh, this reminds me of the day back in 1993 (or was it 1994?) when gcc was released 3 times the same day! Anyhow, I'm writing a script that's supposed to be run from a crontab, and that should do nightly builds of the latest snapshots (which it fetches automagically using wgat or something similar). I'm going to ask some users to run it and make sure the logs (if anything went wrong) are mailed to us. That might help us solve the problem of not having tests running on all platforms, or what do you say? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCE] OpenSSL 0.9.6g released
On Fri, 9 Aug 2002, Jeffrey Altman wrote: If you do not have the skill to deal with a missing export in a DLL, you do not have the skill to be working with security code. And people wonder why users aren't making use of the security tools available to them. hangs head in shame __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCE] OpenSSL 0.9.6g released
At 04:58 PM 8/9/2002 EDT, Jeffrey Altman writeth: If you do not have the skill to deal with a missing export in a DLL, you do not have the skill to be working with security code. I understand perfectly how to deal with missing exports. I've been writing code for 13+ years and have in-depth knowledge of thousands of subjects (learning more every day, of course) and maintain a language base of 20 different languages. I most certainly am skilled and am insulted to have you tell me otherwise. As such, I have learned, the hard way, that always obtaining the latest and greatest of anything (including software) is not the route to take. Someone once said to me that second- and third-generation production models are more stable, more likely to work as expected, and more usable. That is one of the reasons I am holding off from moving to 0.9.6g until _I_ see some stability in the release schedule. If others want to follow suit, that's fine with me. The problem is not that the release was made, the problem is that it was improperly labelled. By not saying that it was beta-quality, people were misled. There is a significant portion of the community that either doesn't have the skill or the inclination to deal with beta-quality software. The intent of not labelling the e, f, and g releases as beta was to have them widely distributed. However the opposite effect is happening as people will now be suspicious of the quality and will simply wait to see how things shake out. Shining Light Productions may have an intense release schedule, but the Company verifies that the products released are stable and are going to work *before* distribution. Granted, the security issues are/were serious, but keeping your heads on your shoulders and not running around like chickens without heads saying, New release! New release! New release! makes OpenSSL look unprofessional. The issue here is responsiveness yet maintaining stability and compilability in the releases. There should only have been _ONE_ release, not _THREE_. As it stands, I'm waiting a couple weeks for things to settle down before I go out and grab the source and build it. That couple weeks means a couple weeks where there are no more updates. If any occur, that couple weeks will turn into a month or two. Keep updating like you have been without a decent Win32 base of developers doing beta testing and it'll be a year before I decide to get a stable release. Don't claim to support a platform if you don't intend on supporting it. You have a Win32 version...so support it - completely. I wouldn't care if you released a version every single week as long as your Win32 code base has been compiled and regression tested. I have just about as much time to wade through the makefiles as most of the other people on this list do...that is, none. Personally, I wouldn't mind if the OpenSSL team just made binaries for Windows. Most Windows developers don't like to waste time figuring out how to build massive projects like OpenSSL (I've built several, including OpenSSL, and none of them are fun...with minimal, usually uninformative documentation on the Win32 build and lots of docs on the *nix builds - unfairly treating *nix users to better, well-designed, well-written docs). We like binaries. Windows developers have tools to extract the needed information from DLLs into LIBs to enable us to get back to what we were doing...Oh! Yeah! Right. I was programming! (I almost forgot...got side-tracked with this OpenSSL build thingie). Hope this helps! Thomas J. Hruska -- [EMAIL PROTECTED] Shining Light Productions -- Meeting the needs of fellow programmers http://www.shininglightpro.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCE] OpenSSL 0.9.6g released
Don't claim to support a platform if you don't intend on supporting it. You have a Win32 version...so support it - completely. Two points: First, You must be knew to this whole open source thing. Completely support? Come on, I'll betcha not even Shining Light Productions complete supports its products (i.e., what's your warranty/liability disclaimers? :) Second, have you read the INSTALL.W32 file recently? The first sentence under Troubleshooting says Since the Win32 build is only tested occasionally, it may not always compile cleanly. There are a half-dozen internal references to that section, which itself is 50 lines of what to do. Now, having dressed you down a bit, I will say that the openssl team churned through releases a little too quickly. They should have left the patches they had, and then done a real fix in a week or so. But, since this is the first time they've *ever* had to respond to such a situation, all told it's not a big deal. OpenSSL, and none of them are fun...with minimal, usually uninformative documentation on the Win32 build and lots of docs on the *nix builds - unfairly treating *nix users to better, well-designed, well-written docs). I missed the point where you were owed something like this? Fairness doesn't enter into it. If you want opensource code to be better supported on your platform than (a) hire someone to do it, (b) do it yourself and feed changes back. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.6g released
In message [EMAIL PROTECTED] on Fri, 9 Aug 2002 20:55:19 -0400 (EDT), Rich Salz [EMAIL PROTECTED] said: rsalz Now, having dressed you down a bit, I will say that the openssl team rsalz churned through releases a little too quickly. They should have left the rsalz patches they had, and then done a real fix in a week or so. But, since rsalz this is the first time they've *ever* had to respond to such a situation, rsalz all told it's not a big deal. Hmm, I wonder, wouldn't there have been an outcry from people who don't want to deal with patches? patch isn't the most well-known program in Windows, as far as I know (I can't really say that I know much on that platform, though)... Anyway, if just patches would have been enough, it definitely may be something for us to look into, at least in my opinion. If nothing else, it definitely saves us the work of making releases :-). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.6g released
The issue here is responsiveness yet maintaining stability and compilability in the releases. There should only have been _ONE_ release, not _THREE_. Please, raise your hands everyone who never was in the same situation! This is the life, move forward! Now OpenSSL team has a stable release and an expirience on how to deal with such situation. Cross your fingers and they will never do it again :) Aleksey Sanin BTW, thanks for creating patches and new release(s) soo quickly! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.6g released
I'm going to weigh in here, in spite of the fact that this point has been made in various ways. I find it laughably appalling that anyone would choose to insult the development team. We're getting this for free. Beggers can't be choosers, and in spite of the free nature of the software, it really sounds like they busted their tails to respond to a security flaw. There's no law that says you can't wait and judge for yourself whether some release is stable or not, but the law of common courtesy should prevent you from taking a whole professional team to task for giving you something for free. If you have such vastly superior intelligence, join the team. You could conceivably be justified in your vehemence if you were in the same boat with them. Put up or shut up.[EMAIL PROTECTED] wrote: -To: [EMAIL PROTECTED], [EMAIL PROTECTED]From: Richard Levitte - VMS Whacker [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 08/09/2002 05:40PMSubject: Re: [ANNOUNCE] OpenSSL 0.9.6g releasedIn message [EMAIL PROTECTED] on Fri, 09 Aug 2002 19:39:14 -0400, "Thomas J. Hruska" [EMAIL PROTECTED] said:shinelight As such, I have learned, the hard way, that alwaysshinelight obtaining the "latest and greatest" of anything (includingshinelight software) is not the route to take.I agree with that, generally. However, that seems to depend betweenprojects. I know one where one should basically never try to useversion X.0, and version X.1 should be treated carefully, while X.2 isgenerally stable, and X.3 (if it appears at all) could be reallybeautiful. But I completely agree that causion is a good thing.shinelight Someone once said to me that second- and third-generationshinelight production models are more stable, more likely to work asshinelight expected, and more usable. That is one of the reasons Ishinelight am holding off from moving to 0.9.6g until _I_ see someshinelight stability in the release schedule. If others want toshinelight follow suit, that's fine with me.You may have noticed that except for 0.9.6e, f and g, we have beenrather good at having things tested and working, at least for defaultbuilds (Windows can have problems if one decides to skip certainalgorithms, with any version before 0.9.7 beta3).The one and only reason 0.9.6e was coming out so fast was the securityissues, and the increasing risk of having information about it leakout publically (it's rather well-known, by experience, that the longerone waits before one publishes an advisory AND a fix for it, the riskof having script-kiddies trying to hack into anything that might beexploitable by said security flaws increases. And I mean daily!).The missing export in the DLL was something that came up as part ofthat security fix.I'm not gonna make excuses for us not having tested on Windows. Wehave at least one person in the team that often does that, and wefailed that particular commitment for that version. 0.9.6f wasspecifically tested on Windows before release.Hadn't it been for the special conditions around the release of0.9.6e, we would have acted more slowly, and have had people try thelatest snapshot for a couple of days.So, the question comes back to you, in reference to 0.9.6{e,f,g}:would you rather have us having waited a little more, and run the riskof having your Apache+modd_ssl or Apache-SSL server (assuming you runanything based on OpenSSL, otherwise you need to imagine yourself inthat position) cracked, or have your computer cracked because you ranan OpenSSL-based client against an malicious server? From *that*point of view, I think we acted in a responsible way.shinelight Granted, the security issues are/were serious, but keepingshinelight your heads on your shoulders and not running around likeshinelight chickens without heads saying,"New release! New release!shinelight New release!" makes OpenSSL look unprofessional.As shown above, that entirely depends on what you choose to look at.shinelight The issue here is responsiveness yet maintaining stabilityshinelight and compilability in the releases. There should only haveshinelight been _ONE_ release, not _THREE_.I completely agree with that count. I stand by the point that thiswas a special case.shinelight As it stands, I'm waiting a couple weeks for things toshinelight settle down before I go out and grab the source and buildshinelight it. That "couple weeks" means a couple weeks where thereshinelight are no more updates. If any occur, that couple weeks willshinelight turn into a month or two. Keep updating like you haveshinelight been without a decent Win32 base of developers doing betashinelight testing and it'll be a year before I decide to get ashinelight "stable" release.As far as I know, we have no plans of making any new release in thenext few weeks.shinelight Personally, I wouldn't mind if the OpenSSL team just madeshinelight binaries for Windows.Some time ago on this list, I asked for people willing to createbinaries of OpenSSL for different platforms, and make them
