Aehm, do you remember the PR #9864 were we (not me, I did approve, but I was unable to get a second approval) failed to approve the PR, so the author just closed his PR and went fishing instead.
I think we need to revive that PR somehow. That is IMHO a security relevant issue when you cannot use the correct prefix with spaces, as they are in Windows. Can that one at least considered for inclusion? Thanks Bernd. On 3/26/20 9:13 PM, Bernd Edlinger wrote: > > > On 3/26/20 9:10 PM, Tim Hudson wrote: >> We don't guarantee constant time. >> > > #11411 does, I don't see why we hurry so much for 1.1.1f > > we got into this situation because everything moves so quickly, > why does everyone here think we should move even faster now? > > What is the reason for this? > > Bernd. > >> Tim. >> >> On Fri, 27 Mar 2020, 5:41 am Bernd Edlinger, <bernd.edlin...@hotmail.de> >> wrote: >> >>> So I disagree, it is a bug when it is not constant time. >>> >>> >>> On 3/26/20 8:26 PM, Tim Hudson wrote: >>>> +1 for a release - and soon - and without bundling any more changes. The >>>> circumstances justify getting this fix out. But I also think we need to >>>> keep improvements that aren't bug fixes out of stable branches. >>>> >>>> Tim. >>>> >>>> On Fri, 27 Mar 2020, 3:12 am Matt Caswell, <m...@openssl.org> wrote: >>>> >>>>> On 26/03/2020 15:14, Short, Todd wrote: >>>>>> This type of API-braking change should be reserved for something like >>>>>> 3.0, not a patch release. >>>>>> >>>>>> Despite it being a "incorrect", it is expected behavior. >>>>>> >>>>> >>>>> Right - but the question now is not whether we should revert it (it has >>>>> been reverted) - but whether this should trigger a 1.1.1f release soon? >>>>> >>>>> Matt >>>>> >>>>>> -- >>>>>> -Todd Short >>>>>> // tsh...@akamai.com <mailto:tsh...@akamai.com> >>>>>> // “One if by land, two if by sea, three if by the Internet." >>>>>> >>>>>>> On Mar 26, 2020, at 11:03 AM, Dr. Matthias St. Pierre >>>>>>> <matthias.st.pie...@ncp-e.com <mailto:matthias.st.pie...@ncp-e.com>> >>>>>>> wrote: >>>>>>> >>>>>>> I agree, go ahead. >>>>>>> >>>>>>> Please also consider reverting the change for the 3.0 alpha release as >>>>>>> well, see Daniel Stenbergs comment >>>>>>> >>> https://github.com/openssl/openssl/issues/11378#issuecomment-603730581 >>>>>>> < >>>>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_issues_11378-23issuecomment-2D603730581&d=DwMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=QBEcQsqoUDdk1Q26CzlzNPPUkKYWIh1LYsiHAwmtRik&m=87AtfQDFl1z9cdRP12QeRUizmgnW6ejbufNT40Gip4Q&s=djWoIIXyggxwOfbwrmYGrSJdR5tWm06IdzY9x9tDxkA&e= >>>>>> >>>>>>> >>>>>>> Matthias >>>>>>> >>>>>>> >>>>>>> *From**:* openssl-project <openssl-project-boun...@openssl.org >>>>>>> <mailto:openssl-project-boun...@openssl.org>> *On Behalf Of *Dmitry >>>>>>> Belyavsky >>>>>>> *Sent:* Thursday, March 26, 2020 3:48 PM >>>>>>> *To:* Matt Caswell <m...@openssl.org <mailto:m...@openssl.org>> >>>>>>> *Cc:* openssl-project@openssl.org <mailto:openssl-project@openssl.org >>>> >>>>>>> *Subject:* Re: 1.1.1f >>>>>>> >>>>>>> >>>>>>> On Thu, Mar 26, 2020 at 5:14 PM Matt Caswell <m...@openssl.org >>>>>>> <mailto:m...@openssl.org>> wrote: >>>>>>> >>>>>>> The EOF issue (https://github.com/openssl/openssl/issues/11378 >>>>>>> < >>>>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_issues_11378&d=DwMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=QBEcQsqoUDdk1Q26CzlzNPPUkKYWIh1LYsiHAwmtRik&m=87AtfQDFl1z9cdRP12QeRUizmgnW6ejbufNT40Gip4Q&s=MAiLjfGJWaKvnBvqnM4fcyvGVfUyj9CDANO_vh4wfco&e= >>>>>> ) >>>>>>> has >>>>>>> resulted in us reverting the original EOF change in the 1.1.1 >>> branch >>>>>>> (https://github.com/openssl/openssl/pull/11400 >>>>>>> < >>>>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_pull_11400&d=DwMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=QBEcQsqoUDdk1Q26CzlzNPPUkKYWIh1LYsiHAwmtRik&m=87AtfQDFl1z9cdRP12QeRUizmgnW6ejbufNT40Gip4Q&s=3hBU2pt84DQlrY1dCnSn9x1ah1gSzH6NEO_bNRH-6DE&e= >>>>>> ). >>>>>>> >>>>>>> Given that this seems to have broken quite a bit of stuff, I >>> propose >>>>>>> that we do a 1.1.1f soon (possibly next Tuesday - 31st March). >>>>>>> >>>>>>> Thoughts? >>>>>>> >>>>>>> >>>>>>> I strongly support this idea. >>>>>>> >>>>>>> -- >>>>>>> SY, Dmitry Belyavsky >>>>>> >>>>> >>>> >>> >>