[cryptography] Just how bad is OpenSSL ?

Aaron Grattafiori aaron at digitalinfinity.net
Tue Oct 30 10:51:46 EDT 2012


Thank god...
On Oct 30, 2012 7:50 AM, "Ben Laurie" <ben at links.org> wrote:

> On Tue, Oct 30, 2012 at 2:39 PM, Patrick Mylund Nielsen
> <cryptography at patrickmylund.com> wrote:
> > I would be happy to volunteer to move everything to Github. But it
> really is
> > really, really easy to do, and the maintenance required is minimal. That
> or
> > git+redmine or git+JIRA would be my suggestion.
>
> The team has ruled out having the master at github.
>
> >
> >
> > On Tue, Oct 30, 2012 at 3:28 PM, Ben Laurie <ben at links.org> wrote:
> >>
> >> On Tue, Oct 30, 2012 at 2:21 PM, Matthew Green <matthewdgreen at gmail.com
> >
> >> wrote:
> >> > So:
> >> >
> >> > 1. What is the process by which you get OpenSSL contributors to
> notice a
> >> > serious issue and apply a patch?
> >>
> >> I wouldn't know, I haven't tried :-)
> >>
> >> In my case, just ask (me, that is, not some mailing list). If the
> >> issue is serious, I will likely apply the patch.
> >>
> >> > 2. What are the criteria for applying a patch? Is it just 'whatever
> >> > interests the devs'? It seems that publishing an exploit works, but
> is that
> >> > necessary?
> >>
> >> I think it can be taken as read that the devs are interested in the
> >> security and stability of OpenSSL.
> >>
> >> > 3. It's 2012 -- why the **** is OpenSSL running its own ticket tracker
> >> > and source control servers??? (RT is a disaster.)
> >>
> >> Damn good question. Probably because we don't have a volunteer to move
> >> everything somewhere else and keep it running.
> >>
> >> > 4. What does it take to become an OpenSSL volunteer?
> >>
> >> :-) Like most (good) open source projects: sustained contribution.
> >>
> >> >
> >> > Matt
> >> >
> >> > On Oct 30, 2012, at 10:12 AM, Ben Laurie <ben at links.org> wrote:
> >> >
> >> >> On Tue, Oct 30, 2012 at 11:58 AM, Jeffrey Walton <noloader at gmail.com
> >
> >> >> wrote:
> >> >>> On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie <ben at links.org> wrote:
> >> >>>> On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton <
> noloader at gmail.com>
> >> >>>> wrote:
> >> >>>>> On Fri, Oct 26, 2012 at 2:29 PM, John Case <case at sdf.org> wrote:
> >> >>>>>>
> >> >>>>>> [SNIP]
> >> >>>>
> >> >>>> Apparently you think the best way to get a secure platform is to
> >> >>>> apply
> >> >>>> pressure through pointless security standards. I'd suggest your
> >> >>>> efforts might be better spent supplying patches instead. Or,
> y'know,
> >> >>>> talking to the authors of the s/w in question. You never know, they
> >> >>>> might care.
> >> >>> Ah, OK. My bad.
> >> >>>
> >> >>> I've tried supplying patches and filing bug report/enhancement
> >> >>> requests.
> >> >>>
> >> >>> Here was a gentle patch for spelling corrections in a README -
> >> >>> rejected.
> >> >>>
> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2401.
> >> >>
> >> >> AFAICS that is not rejected, it is ignored. There's a difference.
> >> >>
> >> >> Also, your patch appears to be reversed. Or your spelling is terrible
> >> >> :-)
> >> >>
> >> >>> Here was a patch for Xcode awareness - rejected (is it fair to say
> >> >>> when its sites for years without acknowledgement?).
> >> >>>
> >> >>>
> http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2402.
> >> >>
> >> >> Also not rejected.
> >> >>
> >> >> Now, I agree that having patches ignored isn't so great either, but
> >> >> the problem is:
> >> >>
> >> >> * RT doesn't actually work, the guy who allegedly maintains our
> >> >> infrastructure doesn't, and the team can't agree what to do about it
> >> >> (not that its tried very hard).
> >> >>
> >> >> * OpenSSL is mostly maintained by volunteers, who may not have felt
> >> >> particularly inspired by your patches, or may just have missed them.
> >> >>
> >> >> * When people are paid, they're generally paid to do specific things,
> >> >> not to trawl through RT (if they even could) looking for patches to
> >> >> adopt. I'm sure someone could pay for that if they want to, though.
> >> >>
> >> >> * CVS is a shit tool, too, making it hard to deal with patches -
> we've
> >> >> even agreed as a team to move off it, but see above about
> >> >> infrastructure :-)
> >> >>
> >> >>> I can't locate a bug report on the use of the uninitialized data.
> >> >>> Perhaps I had the discussion on the developer's mailing list (I know
> >> >>> I'm not imagining it, so my apologies).
> >> >>>
> >> >>> I am also aware that patches existed for some time for CCM mode, GCM
> >> >>> mode, and SRP. In the case of GCM, IBM supplied the patches 5 or 10
> >> >>> years earlier. None were acted upon.
> >> >>
> >> >> It always amuses me when bigcorp pays to have a patch made, but
> >> >> somehow manages to fail to understand that the guy applying the patch
> >> >> has to eat, too. Plus, ISTR the IP situation is none too clear on all
> >> >> of these.
> >> >>
> >> >> This reminds me of the first attempt to FIPSify OpenSSL, where there
> >> >> was zero budget for the developer - just money for test labs and the
> >> >> like ("what do you mean you want money to work on it? I thought it
> was
> >> >> free software!").
> >> >>
> >> >>> The project does not appear to want outside help. If I am drawing
> the
> >> >>> wrong conclusion, please forgive me.
> >> >>
> >> >> I'll grant you that your very small patches could be considered help,
> >> >> and it is a little unfortunate they they were ignored, but like I
> say,
> >> >> RT is a shit tool, at least as implemented at OpenSSL, as is CVS (I
> >> >> notice you didn't supply the needed 4 patches, just a single one) and
> >> >> no-one's paying anyone to pick patches up from it, particularly.
> >> >>
> >> >> The rest of your "help" appears to be specifying flags you'd like to
> >> >> be used and expecting us to do the work for you. Which I actually
> >> >> might, I find that kind of thing therapeutic, but you get my point.
> >> >>
> >> >> I think the project would welcome help - but it needs to be useful
> help
> >> >> :-)
> >> >> _______________________________________________
> >> >> cryptography mailing list
> >> >> cryptography at randombit.net
> >> >> http://lists.randombit.net/mailman/listinfo/cryptography
> >> >
> >> _______________________________________________
> >> cryptography mailing list
> >> cryptography at randombit.net
> >> http://lists.randombit.net/mailman/listinfo/cryptography
> >
> >
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20121030/dd0b4675/attachment.html>


More information about the cryptography mailing list