[cryptography] Just how bad is OpenSSL ?

Ben Laurie ben at links.org
Mon Nov 5 04:31:08 EST 2012


On Mon, Nov 5, 2012 at 5:07 AM, Nico Williams <nico at cryptonector.com> wrote:
> On Sun, Nov 4, 2012 at 8:42 AM, Ben Laurie <ben at links.org> wrote:
>> On Sat, Nov 3, 2012 at 12:26 AM, James A. Donald <jamesd at echeque.com> wrote:
>>> On Oct 30, 2012 7:50 AM, "Ben Laurie" <ben at links.org> wrote:
>>>> The team has ruled out having the master at github.
>>>
>>> What is wrong with github?
>>
>> TBH, I wouldn't mind much, but I think the concern is that its not
>> under our control.
>
> It's just git, so keep multiple clone repos.  You could use an
> internal one as the master and push updates to the github one if you
> don't trust github -- use github to serve outsiders.

That is exactly the plan.

>  Really, what
> matters is that you have one master repo and all other official repos
> be read-only clones of it.  As with any master/slave failover/takeover
> scheme you can always recover from the death of the master by
> promoting a clone to master status.  So why not trust github?  Because
> they've been hacked?  But if you keep multiple clones and people keep
> private clones then you depend on git's use of SHA-1 Merkle hash trees
> for security.  Or, if you want *private* repos, then you must either
> run your own git servers or pay a github or gitorious.

Indeed.

>
> Nico
> --



More information about the cryptography mailing list