Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Emmanuel Charpentier
Le mercredi 25 octobre 2017 12:01:45 UTC+2, Erik Bray a écrit : > > On Wed, Oct 25, 2017 at 3:56 AM, William Stein > wrote: > > > > On Tue, Oct 24, 2017 at 3:08 PM Eric Gourgoulhon > > > wrote: > >> > >> Thanks Emmanuel for the discussion summary. > >> > >> > >> Le mardi 24 octobre 2017

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Emmanuel Charpentier
I'd rathet discuss this in the to be openedReal Soon Now) proposal for implementation. -- Emmanuel Charpentier Le mercredi 25 octobre 2017 11:57:13 UTC+2, Erik Bray a écrit : > > (Sorry for the multiple replies--there are just a lot of disparate > issues touched on in this message that I think

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Emmanuel Charpentier
Le mercredi 25 octobre 2017 11:46:38 UTC+2, Erik Bray a écrit : > > Hi Emmanuel, > > On Tue, Oct 24, 2017 at 8:58 PM, Emmanuel Charpentier > > wrote: > > Similarly, I am still in the dark about the ability of our Cygwin port > to > > ensure the availability of the Cygwin-ported OpenSSL libra

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Emmanuel Charpentier
Le mercredi 25 octobre 2017 11:42:32 UTC+2, Erik Bray a écrit : > > On Wed, Oct 25, 2017 at 12:08 AM, Eric Gourgoulhon > > wrote: > > Thanks Emmanuel for the discussion summary. > > > > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : > >> > >> > >> It is true. But w

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Emmanuel Charpentier
Le mercredi 25 octobre 2017 10:41:15 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-25 00:08, Eric Gourgoulhon wrote: > > I have the feeling that the current tendency is towards a more modular > > and lighter Sage, which deviates from the original "batteries included" > > philosophy. > > I wo

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Erik Bray
On Wed, Oct 25, 2017 at 3:56 AM, William Stein wrote: > > On Tue, Oct 24, 2017 at 3:08 PM Eric Gourgoulhon > wrote: >> >> Thanks Emmanuel for the discussion summary. >> >> >> Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : >>> >>> >>> It is true. But we are hoisted by our

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Erik Bray
(Sorry for the multiple replies--there are just a lot of disparate issues touched on in this message that I think would be confusing to reply to all at once). On Tue, Oct 24, 2017 at 8:58 PM, Emmanuel Charpentier wrote: > This point of view is of course incompatible with the result of the vote. >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Erik Bray
Hi Emmanuel, On Tue, Oct 24, 2017 at 8:58 PM, Emmanuel Charpentier wrote: > Similarly, I am still in the dark about the ability of our Cygwin port to > ensure the availability of the Cygwin-ported OpenSSL library and development > files. Again, Erik's expertise will be needed during implementatio

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Erik Bray
On Wed, Oct 25, 2017 at 12:08 AM, Eric Gourgoulhon wrote: > Thanks Emmanuel for the discussion summary. > > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : >> >> >> It is true. But we are hoisted by our own petard : from our tutorial : >> "The Sage download file comes with

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-25 Thread Jeroen Demeyer
On 2017-10-25 00:08, Eric Gourgoulhon wrote: I have the feeling that the current tendency is towards a more modular and lighter Sage, which deviates from the original "batteries included" philosophy. I would like to keep "batteries OPTIONALLY included". This means: use system software if possi

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-24 Thread 'Julien Puydt' via sage-devel
Hi, Le 25/10/2017 à 00:08, Eric Gourgoulhon a écrit : > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : > > > It is true. But we are hoisted by our own petard : from our tutorial > : > "The Sage down

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-24 Thread William Stein
On Tue, Oct 24, 2017 at 3:08 PM Eric Gourgoulhon wrote: > Thanks Emmanuel for the discussion summary. > > > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : >> >> >> It is true. But we are hoisted by our own petard : from our tutorial >>

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-24 Thread Dr. David Kirkby (Kirkby Microwave Ltd)
On 24 October 2017 at 15:51, Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote: > Final tally > > Yes, we should fully support OpenSSL now, and clarify the licensing issue > : 9 unambiguous votes : > > > > No, we should wait until OpenSSL finishes fixing their license situation > fo

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-24 Thread Emmanuel Charpentier
Le mardi 24 octobre 2017 21:34:18 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-24 20:58, Emmanuel Charpentier wrote: > > A non-communicating R in Sage can be very useful if you are not using R > > in Sage at all > > I just meant to say that if you don't use R, then it's fine to have a > non

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-24 Thread Jeroen Demeyer
On 2017-10-24 20:58, Emmanuel Charpentier wrote: A non-communicating R in Sage can be very useful if you are not using R in Sage at all I just meant to say that if you don't use R, then it's fine to have a non-communicating R. I admit that the wording was a bit cryptic. -- You received this

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-24 Thread Erik Bray
On Mon, Oct 23, 2017 at 6:31 PM, Dima Pasechnik wrote: > There are various https-only software repos, not only Python or R-relayed. > IIRC kernel.org is one of them. Without SSL headers one cannot build tools to > access such repos; e.g. there are no such headers in Xcode. > One may keep repeati

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Dima Pasechnik
There are various https-only software repos, not only Python or R-relayed. IIRC kernel.org is one of them. Without SSL headers one cannot build tools to access such repos; e.g. there are no such headers in Xcode. One may keep repeating "optional" etc mantras, but it does not make non-functionin

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Mon, Oct 23, 2017 at 4:16 PM, Nathan Dunfield wrote: > On Monday, October 23, 2017 at 7:32:03 AM UTC-5, Erik Bray wrote: >> >> > I also balk at the idea of shipping a crippled pip. >> >> It's not crippled if you don't need it to install from HTTPS which not >> everyone does. > > > I agree with

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread John H Palmieri
By the way, on OS X, an SSL-enabled curl is installed along with Xcode, so if we use that in Sage, I wonder if R will work with full functionality. (See #24081.) If so, OpenSSL would only be "needed" for Sage's pip. John On Monday, October 23, 2017 at 9:05:16 AM UTC-7, Erik Bray wrote: > > O

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Mon, Oct 23, 2017 at 5:15 PM, Emmanuel Charpentier wrote: > >> >> Other participants to discussion, which did not formally vote, or "threw >> their vote away" ((C) Michael Orlitzky) in favor of another option : 10 >> people > > > No : make that 7 people... > >> >> David Joyner >> Michael Orlitz

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Nathan Dunfield
On Monday, October 23, 2017 at 7:32:03 AM UTC-5, Erik Bray wrote: > > > I also balk at the idea of shipping a crippled pip. > > It's not crippled if you don't need it to install from HTTPS which not > everyone does. > I agree with Emmanuel that providing "pip" without HTTPS is shipping a broken

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Emmanuel Charpentier
Le lundi 23 octobre 2017 15:44:09 UTC+2, Erik Bray a écrit : > > On Mon, Oct 23, 2017 at 3:28 PM, Emmanuel Charpentier > > wrote: > >> It should be possible to disable the requirement at > >> configure time and fallback to a different default. It's a shame we > >> require a patch for this fo

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread 'Julien Puydt' via sage-devel
Le 23/10/2017 à 15:40, Emmanuel Charpentier a écrit : > BTW : the vote closes in about 20 minutes. This is your last chance to > take back any "too hasty" votes. My vote: no openSSL now - wait until the license issues are solved Snark on #sagemath -- You received this message because you are

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Mon, Oct 23, 2017 at 3:28 PM, Emmanuel Charpentier wrote: >> It should be possible to disable the requirement at >> configure time and fallback to a different default. It's a shame we >> require a patch for this for now but I can help push for an upstream >> fix to this if need be, because I t

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Mon, Oct 23, 2017 at 3:19 PM, Emmanuel Charpentier wrote: > > > Le lundi 23 octobre 2017 14:32:03 UTC+2, Erik Bray a écrit : >> >> On Mon, Oct 23, 2017 at 12:27 PM, Emmanuel Charpentier >> wrote: >> > >> > >> > Le lundi 23 octobre 2017 12:17:06 UTC+2, Erik Bray a écrit : >> >> >> >> On Mon, Oc

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Emmanuel Charpentier
Le lundi 23 octobre 2017 14:43:18 UTC+2, Erik Bray a écrit : > > On Mon, Oct 23, 2017 at 2:31 PM, Erik Bray > wrote: > > The same should be true for R, > > and if this is not the case (and I'm not convinced it isn't) > > This part I take back. I see now that in R's configure it really does

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Emmanuel Charpentier
Le lundi 23 octobre 2017 14:32:03 UTC+2, Erik Bray a écrit : > > On Mon, Oct 23, 2017 at 12:27 PM, Emmanuel Charpentier > > wrote: > > > > > > Le lundi 23 octobre 2017 12:17:06 UTC+2, Erik Bray a écrit : > >> > >> On Mon, Oct 23, 2017 at 11:57 AM, Emmanuel Charpentier > >> wrote: > >> >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Mon, Oct 23, 2017 at 2:31 PM, Erik Bray wrote: > The same should be true for R, > and if this is not the case (and I'm not convinced it isn't) This part I take back. I see now that in R's configure it really does refuse to proceed if it doesn't find the right libcurl with SSL support. It's n

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Mon, Oct 23, 2017 at 12:27 PM, Emmanuel Charpentier wrote: > > > Le lundi 23 octobre 2017 12:17:06 UTC+2, Erik Bray a écrit : >> >> On Mon, Oct 23, 2017 at 11:57 AM, Emmanuel Charpentier >> wrote: >> > Dear Erik, >> > >> > Le lundi 23 octobre 2017 11:16:05 UTC+2, Erik Bray a écrit : >> >> >> >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Emmanuel Charpentier
Le lundi 23 octobre 2017 12:17:06 UTC+2, Erik Bray a écrit : > > On Mon, Oct 23, 2017 at 11:57 AM, Emmanuel Charpentier > > wrote: > > Dear Erik, > > > > Le lundi 23 octobre 2017 11:16:05 UTC+2, Erik Bray a écrit : > >> > >> On Thu, Oct 19, 2017 at 5:19 PM, Emmanuel Charpentier > >> wrote

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Emmanuel Charpentier
Dear Jeroen Le lundi 23 octobre 2017 11:24:18 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-19 17:21, Emmanuel Charpentier wrote: > > I do not think that a > > non-communicating R is useful in Sage. > > A non-communicating R in Sage can be very useful if you are not using R > in Sage at all (

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Mon, Oct 23, 2017 at 11:57 AM, Emmanuel Charpentier wrote: > Dear Erik, > > Le lundi 23 octobre 2017 11:16:05 UTC+2, Erik Bray a écrit : >> >> On Thu, Oct 19, 2017 at 5:19 PM, Emmanuel Charpentier >> wrote: >> > Again : R is not only a software package but also an ecosystem. The >> > 11638 >>

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Emmanuel Charpentier
Dear Erik, Le lundi 23 octobre 2017 11:16:05 UTC+2, Erik Bray a écrit : > > On Thu, Oct 19, 2017 at 5:19 PM, Emmanuel Charpentier > > wrote: > > Again : R is not only a software package but also an ecosystem. The > 11638 > > (as of today) packages available to R users are a large part of R >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Mon, Oct 23, 2017 at 11:28 AM, Erik Bray wrote: > On Mon, Oct 23, 2017 at 11:24 AM, Jeroen Demeyer > wrote: >> On 2017-10-19 17:21, Emmanuel Charpentier wrote: >>> >>> I do not think that a >>> non-communicating R is useful in Sage. >> >> >> A non-communicating R in Sage can be very useful if

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Mon, Oct 23, 2017 at 11:24 AM, Jeroen Demeyer wrote: > On 2017-10-19 17:21, Emmanuel Charpentier wrote: >> >> I do not think that a >> non-communicating R is useful in Sage. > > > A non-communicating R in Sage can be very useful if you are not using R in > Sage at all (which is very likely the

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Jeroen Demeyer
On 2017-10-19 17:21, Emmanuel Charpentier wrote: I do not think that a non-communicating R is useful in Sage. A non-communicating R in Sage can be very useful if you are not using R in Sage at all (which is very likely the vast majority of Sage users). -- You received this message because yo

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Fri, Oct 20, 2017 at 10:58 AM, Jeroen Demeyer wrote: > On 2017-10-19 20:07, Luca De Feo wrote: >> >> There you go for something crippled! https://shattered.io/ > > > I don't think that this is actually relevant. This attack would only work if > an attacker is able to provide a specially manufa

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Thu, Oct 19, 2017 at 10:56 PM, Thierry wrote: > Hi, > > On Thu, Oct 19, 2017 at 08:07:19PM +0200, Luca De Feo wrote: >> |X| Yes, we should fully support OpenSSL now, and clarify the >> licensing issue. >> >> > the way our >> > "package manager" works allows to install an optional package wi

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Thu, Oct 19, 2017 at 5:21 PM, Emmanuel Charpentier wrote: > > > Le mercredi 18 octobre 2017 20:36:47 UTC+2, Jeroen Demeyer a écrit : >> >> On 2017-10-18 19:02, Emmanuel Charpentier wrote: >> > This option commits us to maintain (unnecessary and dangerous, IMHO) >> > Sage-specifc SSL patches at

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-23 Thread Erik Bray
On Thu, Oct 19, 2017 at 5:19 PM, Emmanuel Charpentier wrote: > Again : R is not only a software package but also an ecosystem. The 11638 > (as of today) packages available to R users are a large part of R usefulness > to its users. So, "disabling downloads from CRAN" is *NOT* fine (to them, at > l

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-21 Thread Emmanuel Charpentier
Le vendredi 20 octobre 2017 10:58:32 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-19 20:07, Luca De Feo wrote: > > There you go for something crippled! https://shattered.io/ > > I don't think that this is actually relevant. This attack would only > work if an attacker is able to provide a s

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-21 Thread David Joyner
On Sat, Oct 21, 2017 at 12:02 PM, Eric Gourgoulhon wrote: > Hi, > > Having read the discussion, I would add a big +1 to what Thierry proposes in > https://groups.google.com/d/msg/sage-devel/fE45025Wphs/FheYtjBWAAAJ > > So I guess that in terms of vote this means > > |X| Yes, we should fully suppor

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-21 Thread Emmanuel Charpentier
Le vendredi 20 octobre 2017 10:51:17 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-19 17:19, Emmanuel Charpentier wrote: > > Again : R is not only a software package but also an ecosystem. > > But why? One could say the same for Python, but you can still install > Python without OpenSSL. >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-21 Thread Emmanuel Charpentier
Le vendredi 20 octobre 2017 10:49:40 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-19 17:24, William Stein wrote: > > Good, as well they should. Like you, they likely feel a responsibility > > to their users to do the right thing regarding security. I really > > appreciate the "so much tr

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Dima Pasechnik
In fact, John pointed out that I am wrong; while openssl is supported by Xcode binaries, there are no headers available! (it used to be the case that they were present in some hidden directories, but this seems to be not true any more) On Friday, October 20, 2017 at 7:20:17 PM UTC+1, kcrisman wr

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread kcrisman
On Thursday, October 19, 2017 at 6:29:46 PM UTC-4, John H Palmieri wrote: > > > > On Thursday, October 19, 2017 at 2:17:10 PM UTC-7, Dima Pasechnik wrote: >> >> the 1-click openssl install image for OSX is called Xcode, and one can go >> for a long lunch while waiting for it to finish, even on a

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Maarten Derickx
On Wednesday, 18 October 2017 18:23:53 UTC+2, Thierry (sage-googlesucks@xxx) wrote: > > Hi, > > the dichotomy of the vote is not clear to me. > > I am -1 to make openssl a stantard package (hence shipped with the source > tarball), not only regarding licensing issues but also for security >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Luca De Feo
> That is totally not what I said. We don't care about collision resistance, > but we still need preimage resistance. That is still fine for SHA1 (even MD5 > as far as I know). If that's your point, an attacker can produce two colliding packages: a perfectly sound mathematical package and a malici

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Dima Pasechnik
On Friday, October 20, 2017 at 10:13:54 AM UTC+1, Jeroen Demeyer wrote: > > On 2017-10-20 10:54, Dima Pasechnik wrote: > > Once upon a time, http was not universally supported, one needed to use > > ftp instead. > > You misunderstood my point. It is not about http vs. https. > > What bothers

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Jeroen Demeyer
On 2017-10-20 11:32, Luca De Feo wrote: So according to your point checking the SHA1 is useless, because attackers are not able to get malicious source tarballs accepted by SageMath. That is totally not what I said. We don't care about collision resistance, but we still need preimage resistanc

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Luca De Feo
>> There you go for something crippled! https://shattered.io/ > > > I don't think that this is actually relevant. This attack would only work if > an attacker is able to provide a specially manufactured source tarball and > get it accepted by SageMath. At that point, the attacker could instead jus

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Jeroen Demeyer
On 2017-10-20 10:54, Dima Pasechnik wrote: Once upon a time, http was not universally supported, one needed to use ftp instead. You misunderstood my point. It is not about http vs. https. What bothers me is that "downloading packages from CRAN" is considered so important by R that it refuses

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Jeroen Demeyer
On 2017-10-19 20:07, Luca De Feo wrote: There you go for something crippled! https://shattered.io/ I don't think that this is actually relevant. This attack would only work if an attacker is able to provide a specially manufactured source tarball and get it accepted by SageMath. At that poin

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Dima Pasechnik
On Friday, October 20, 2017 at 9:51:17 AM UTC+1, Jeroen Demeyer wrote: > > On 2017-10-19 17:19, Emmanuel Charpentier wrote: > > Again : R is not only a software package but also an ecosystem. > > But why? One could say the same for Python, but you can still install > Python without OpenSSL. >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Jeroen Demeyer
On 2017-10-19 17:19, Emmanuel Charpentier wrote: Again : R is not only a software package but also an ecosystem. But why? One could say the same for Python, but you can still install Python without OpenSSL. What if I simply want to use R without any external packages? Or what if I want to d

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-20 Thread Jeroen Demeyer
On 2017-10-19 17:24, William Stein wrote: Good, as well they should. Like you, they likely feel a responsibility to their users to do the right thing regarding security. I really appreciate the "so much trouble" you are "causing" Emmanuel. I also agree here. The only options should be "use

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread John H Palmieri
On Thursday, October 19, 2017 at 2:17:10 PM UTC-7, Dima Pasechnik wrote: > > the 1-click openssl install image for OSX is called Xcode, and one can go > for a long lunch while waiting for it to finish, even on a fast network... > > Apple should pick up the bill for these lunches, and much more,

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread Dima Pasechnik
the 1-click openssl install image for OSX is called Xcode, and one can go for a long lunch while waiting for it to finish, even on a fast network... Apple should pick up the bill for these lunches, and much more, I fully agree. -- You received this message because you are subscribed to the Goog

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread Thierry
Hi, On Thu, Oct 19, 2017 at 08:07:19PM +0200, Luca De Feo wrote: > |X| Yes, we should fully support OpenSSL now, and clarify the > licensing issue. > > > the way our > > "package manager" works allows to install an optional package without > > having to rely on openssl (no https), we only rel

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread Luca De Feo
|X| Yes, we should fully support OpenSSL now, and clarify the licensing issue. > the way our > "package manager" works allows to install an optional package without > having to rely on openssl (no https), we only rely on the computation of > sha1 There you go for something crippled! https://

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread William Stein
On Thu, Oct 19, 2017 at 8:19 AM Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote: > Dear Erik > > Le jeudi 19 octobre 2017 09:19:00 UTC+2, Erik Bray a écrit : > >> On Wed, Oct 18, 2017 at 8:36 PM, Jeroen Demeyer >> wrote: >> > On 2017-10-18 19:02, Emmanuel Charpentier wrote: >> >> >> >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread Emmanuel Charpentier
Le mercredi 18 octobre 2017 20:36:47 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-18 19:02, Emmanuel Charpentier wrote: > > This option commits us to maintain (unnecessary and dangerous, IMHO) > > Sage-specifc SSL patches at least in R, Python and pip > > Really? Which Sage-specific SSL patc

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread Emmanuel Charpentier
Dear Erik Le jeudi 19 octobre 2017 09:19:00 UTC+2, Erik Bray a écrit : > > On Wed, Oct 18, 2017 at 8:36 PM, Jeroen Demeyer > wrote: > > On 2017-10-18 19:02, Emmanuel Charpentier wrote: > >> > >> This option commits us to maintain (unnecessary and dangerous, IMHO) > >> Sage-specifc SSL patches

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread Emmanuel Charpentier
Dear Jeroen, Unless you correct me, I'll tally your vote as |X| No, we should wait until OpenSSL finishes fixing their license situation formally. -- Emmanuel Charpentier Le mercredi 18 octobre 2017 11:10:38 UTC+2, Jeroen Demeyer a écrit : > > First of all, I think that your email is unfair be

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread Erik Bray
On Thu, Oct 19, 2017 at 3:49 PM, kcrisman wrote: > >> > For what it is worth, I strongly agree with everything you write above. >> > +1 >> >> Also +1 with some quibbles about section (agree with in >> principle, but in tone or nuance). >> > > perhaps didn't they find the openssl one-click instal

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread kcrisman
> > For what it is worth, I strongly agree with everything you write above. > +1 > > Also +1 with some quibbles about section (agree with in > principle, but in tone or nuance). > > perhaps didn't they find the openssl one-click installer right in the middle of the screen yet. That sound

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-19 Thread Erik Bray
On Wed, Oct 18, 2017 at 8:36 PM, Jeroen Demeyer wrote: > On 2017-10-18 19:02, Emmanuel Charpentier wrote: >> >> This option commits us to maintain (unnecessary and dangerous, IMHO) >> Sage-specifc SSL patches at least in R, Python and pip > > > Really? Which Sage-specific SSL patches does this req

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Jeroen Demeyer
On 2017-10-18 19:02, Emmanuel Charpentier wrote: This option commits us to maintain (unnecessary and dangerous, IMHO) Sage-specifc SSL patches at least in R, Python and pip Really? Which Sage-specific SSL patches does this require in Python and pip? It seems to me that R is the only package ca

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Erik Bray
On Wed, Oct 18, 2017 at 6:37 PM, William Stein wrote: > > On Wed, Oct 18, 2017 at 9:23 AM Thierry > wrote: >> >> Hi, >> >> the dichotomy of the vote is not clear to me. >> >> I am -1 to make openssl a stantard package (hence shipped with the source >> tarball), not only regarding licensing issues

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Emmanuel Charpentier
Dear Thierry, Le mercredi 18 octobre 2017 18:23:53 UTC+2, Thierry (sage-googlesucks@xxx) a écrit : > > Hi, > > the dichotomy of the vote is not clear to me. > > I am -1 to make openssl a stantard package (hence shipped with the source > tarball), not only regarding licensing issues but also fo

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread William Stein
On Wed, Oct 18, 2017 at 9:23 AM Thierry wrote: > Hi, > > the dichotomy of the vote is not clear to me. > > I am -1 to make openssl a stantard package (hence shipped with the source > tarball), not only regarding licensing issues but also for security > reasons: our "package manager" is such that

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Thierry
Hi, the dichotomy of the vote is not clear to me. I am -1 to make openssl a stantard package (hence shipped with the source tarball), not only regarding licensing issues but also for security reasons: our "package manager" is such that packages can not be updated unless Sage itself is updated (be

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Emmanuel Charpentier
Le mercredi 18 octobre 2017 15:37:13 UTC+2, Dr. David Kirkby (Kirkby Microwave Ltd) a écrit : > > On 18 October 2017 at 14:13, Erik Bray > > wrote: > >> On Wed, Oct 18, 2017 at 11:52 AM, Dr. David Kirkby (Kirkby Microwave >> Note: We're not talking about adding *any* OpenSSL code to SageMath. >>

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Dr. David Kirkby (Kirkby Microwave Ltd)
On 18 October 2017 at 14:13, Erik Bray wrote: > On Wed, Oct 18, 2017 at 11:52 AM, Dr. David Kirkby (Kirkby Microwave > Note: We're not talking about adding *any* OpenSSL code to SageMath. > Sage would never be distributed with code from OpenSSL. We're only > talking about providing a means to do

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Erik Bray
On Wed, Oct 18, 2017 at 11:52 AM, Dr. David Kirkby (Kirkby Microwave Ltd) wrote: > On 18 Oct 2017 00:39, "William Stein" wrote: >> >> >> On Tue, Oct 17, 2017 at 4:35 PM Dr. David Kirkby (Kirkby Microwave Ltd) >> wrote: > >>> There are a lot of number theorists using Sagemath. Could one or more >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Jeroen Demeyer
On 2017-10-18 01:38, William Stein wrote: Absolutely not. That's not how security software works (and would be insulting to the OpenSSL developers). You are **epically** understimating what OpenSSL is and does. +1 Implementing crypto in practice is very different from implementing a toy R

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Emmanuel Charpentier
Le mercredi 18 octobre 2017 11:52:47 UTC+2, Dr. David Kirkby (Kirkby Microwave Ltd) a écrit : > > On 18 Oct 2017 00:39, "William Stein" > > wrote: > > > > > > On Tue, Oct 17, 2017 at 4:35 PM Dr. David Kirkby (Kirkby Microwave Ltd) < > drki...@kirkbymicrowave.co.uk > wrote: > > >> There are a lo

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Dr. David Kirkby (Kirkby Microwave Ltd)
On 18 Oct 2017 00:39, "William Stein" wrote: > > > On Tue, Oct 17, 2017 at 4:35 PM Dr. David Kirkby (Kirkby Microwave Ltd) < drkir...@kirkbymicrowave.co.uk> wrote: >> There are a lot of number theorists using Sagemath. Could one or more consider implementing the functionality of OpenSSL in a re-w

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Maarten Derickx
On Wednesday, 18 October 2017 03:35:15 UTC+2, Michael Orlitzky wrote: > > On 10/17/2017 08:42 PM, Maarten Derickx wrote: > > > > What makes you think their process is dubious? They are reaching out for > > consent from all people who have contributed, and they have removed the > > code from t

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Emmanuel Charpentier
Le mercredi 18 octobre 2017 10:58:28 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-18 03:08, William Stein wrote: > > (a) using a broken version of the Python/R/Sage stack that exposes > > them to installing malware > > Is that really the case? I think pip is actually fail-safe in the sense

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Emmanuel Charpentier
Le mercredi 18 octobre 2017 10:58:28 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-18 03:08, William Stein wrote: > > (a) using a broken version of the Python/R/Sage stack that exposes > > them to installing malware > > Is that really the case? I think pip is actually fail-safe in the sense

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Dima Pasechnik
I think the elaboration part of the "Yes" option was not very carefully worded, this is what Michael pointed out. We cannot HOST OpenSSL source (this is illegal with its present license), but nothing prevents us from providing means to install it legally. To be on a safe side with binary distribu

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Emmanuel Charpentier
Le mercredi 18 octobre 2017 10:51:21 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-18 03:08, William Stein wrote: > > The choice for users installing the Sage binary is between: > > So you are worried about *binaries*? Are there any distros that we ship > binaries for that *don't* have a system

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Jeroen Demeyer
First of all, I think that your email is unfair because it presents the "Yes" option as something that we could just easily do. However, as mentioned in another post in this thread, the "Yes" option might actually be illegal. So my vote is "No". -- You received this message because you are su

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Dima Pasechnik
On Wednesday, October 18, 2017 at 9:51:21 AM UTC+1, Jeroen Demeyer wrote: > > On 2017-10-18 03:08, William Stein wrote: > > The choice for users installing the Sage binary is between: > > So you are worried about *binaries*? Are there any distros that we ship > binaries for that *don't* have a

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Jeroen Demeyer
On 2017-10-18 03:08, William Stein wrote: (a) using a broken version of the Python/R/Sage stack that exposes them to installing malware Is that really the case? I think pip is actually fail-safe in the sense that it simply refuses to download if OpenSSL is not supported. So there is no expo

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-18 Thread Jeroen Demeyer
On 2017-10-18 03:08, William Stein wrote: The choice for users installing the Sage binary is between: So you are worried about *binaries*? Are there any distros that we ship binaries for that *don't* have a systemwide OpenSSL installed by default? -- You received this message because you are

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread William Stein
On Tue, Oct 17, 2017 at 6:41 PM Michael Orlitzky wrote: > On 10/17/2017 09:37 PM, William Stein wrote: > > > > The mail that they sent to contributors ended with, > > > > If we do not hear from you, we will assume that you have no > objection. > > > > That's not the way it works, >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread Michael Orlitzky
On 10/17/2017 09:37 PM, William Stein wrote: > > The mail that they sent to contributors ended with, > >   If we do not hear from you, we will assume that you have no objection. > > That's not the way it works, > > > Says who?   This is all about how things work legally, and the r

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread William Stein
On Tue, Oct 17, 2017 at 6:35 PM Michael Orlitzky wrote: > On 10/17/2017 08:42 PM, Maarten Derickx wrote: > > > > What makes you think their process is dubious? They are reaching out for > > consent from all people who have contributed, and they have removed the > > code from the several people wh

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread Michael Orlitzky
On 10/17/2017 08:42 PM, Maarten Derickx wrote: > > What makes you think their process is dubious? They are reaching out for > consent from all people who have contributed, and they have removed the > code from the several people who have objected on record. > The mail that they sent to contribut

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread William Stein
On Mon, Oct 16, 2017 at 11:55 PM Jeroen Demeyer wrote: > So basically you want to add OpenSSL to Sage and then say > > "We know that distributing SageMath might be illegal, but it is unlikely > that somebody will sue. Use at your own risk!" > > I doubt that this is such a good deal. The choice

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread Maarten Derickx
On Tuesday, 17 October 2017 22:46:52 UTC+2, Michael Orlitzky wrote: > > On 10/17/2017 03:56 PM, Emmanuel Charpentier wrote: > > > > Throwing my vote away: > > > > [X] Require OpenSSL to be installed on the system. > > > > > > That's not one of the proposed options. > > That's what

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread William Stein
On Tue, Oct 17, 2017 at 4:35 PM Dr. David Kirkby (Kirkby Microwave Ltd) < drkir...@kirkbymicrowave.co.uk> wrote: > > On 17 Oct 2017 23:56, "Dima Pasechnik" wrote: > > > > On Tuesday, October 17, 2017 at 10:52:47 PM UTC+1, Nicolas M. Thiéry > wrote: > >> > >> > > > The problem is that we cannot, a

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread Dr. David Kirkby (Kirkby Microwave Ltd)
On 17 Oct 2017 23:56, "Dima Pasechnik" wrote: > > On Tuesday, October 17, 2017 at 10:52:47 PM UTC+1, Nicolas M. Thiéry wrote: >> >> > The problem is that we cannot, as rightfully pointed here by Michael, provide a tarball with OpenSSL source, as this > would be an outright copyright violation. Th

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread Dima Pasechnik
On Tuesday, October 17, 2017 at 10:52:47 PM UTC+1, Nicolas M. Thiéry wrote: > > > I have no strong opinion on whether to make OpenSSL a hard requirement > or providing it if it's not there. But *not* having OpenSSL is a > recurrent pain (e.g. for pip installing package) and it would be > reall

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread Nicolas M. Thiery
I have no strong opinion on whether to make OpenSSL a hard requirement or providing it if it's not there. But *not* having OpenSSL is a recurrent pain (e.g. for pip installing package) and it would be really helpful to be able to rely on it. If we make it a hard requirement, how to install OpenSS

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread Michael Orlitzky
On 10/17/2017 03:56 PM, Emmanuel Charpentier wrote: > > Throwing my vote away: > > [X] Require OpenSSL to be installed on the system. > > > That's not one of the proposed options. That's what I meant by "throwing my vote away" =) > But it seems to imply that we should wait for OpenSS

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread Emmanuel Charpentier
Dear Michael, Le mardi 17 octobre 2017 21:49:50 UTC+2, Michael Orlitzky a écrit : > > On 10/17/2017 02:55 AM, Jeroen Demeyer wrote: > > So basically you want to add OpenSSL to Sage and then say > > > > "We know that distributing SageMath might be illegal, but it is unlikely > > that somebody w

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

2017-10-17 Thread Michael Orlitzky
On 10/17/2017 02:55 AM, Jeroen Demeyer wrote: > So basically you want to add OpenSSL to Sage and then say > > "We know that distributing SageMath might be illegal, but it is unlikely > that somebody will sue. Use at your own risk!" > > I doubt that this is such a good deal. > Not to mention th

  1   2   >