In message <[EMAIL PROTECTED]> on Fri, 09 Aug
2002 19:39:14 -0400, "Thomas J. Hruska" <[EMAIL PROTECTED]> said:
shinelight> As such, I have learned, the hard way, that always
shinelight> obtaining the "latest and greatest" of anything (including
shinelight> software) is not the route to take.
I agree with that, generally. However, that seems to depend between
projects. I know one where one should basically never try to use
version X.0, and version X.1 should be treated carefully, while X.2 is
generally stable, and X.3 (if it appears at all) could be really
beautiful. But I completely agree that causion is a good thing.
shinelight> Someone once said to me that second- and third-generation
shinelight> production models are more stable, more likely to work as
shinelight> expected, and more usable. That is one of the reasons I
shinelight> am holding off from moving to 0.9.6g until _I_ see some
shinelight> stability in the release schedule. If others want to
shinelight> follow suit, that's fine with me.
You may have noticed that except for 0.9.6e, f and g, we have been
rather good at having things tested and working, at least for default
builds (Windows can have problems if one decides to skip certain
algorithms, with any version before 0.9.7 beta3).
The one and only reason 0.9.6e was coming out so fast was the security
issues, and the increasing risk of having information about it leak
out publically (it's rather well-known, by experience, that the longer
one waits before one publishes an advisory AND a fix for it, the risk
of having script-kiddies trying to hack into anything that might be
exploitable by said security flaws increases. And I mean daily!).
The missing export in the DLL was something that came up as part of
that security fix.
I'm not gonna make excuses for us not having tested on Windows. We
have at least one person in the team that often does that, and we
failed that particular commitment for that version. 0.9.6f was
specifically tested on Windows before release.
Hadn't it been for the special conditions around the release of
0.9.6e, we would have acted more slowly, and have had people try the
latest snapshot for a couple of days.
So, the question comes back to you, in reference to 0.9.6{e,f,g}:
would you rather have us having waited a little more, and run the risk
of having your Apache+modd_ssl or Apache-SSL server (assuming you run
anything based on OpenSSL, otherwise you need to imagine yourself in
that position) cracked, or have your computer cracked because you ran
an OpenSSL-based client against an malicious server? From *that*
point of view, I think we acted in a responsible way.
shinelight> Granted, the security issues are/were serious, but keeping
shinelight> your heads on your shoulders and not running around like
shinelight> chickens without heads saying,"New release! New release!
shinelight> New release!" makes OpenSSL look unprofessional.
As shown above, that entirely depends on what you choose to look at.
shinelight> The issue here is responsiveness yet maintaining stability
shinelight> and compilability in the releases. There should only have
shinelight> been _ONE_ release, not _THREE_.
I completely agree with that count. I stand by the point that this
was a special case.
shinelight> As it stands, I'm waiting a couple weeks for things to
shinelight> settle down before I go out and grab the source and build
shinelight> it. That "couple weeks" means a couple weeks where there
shinelight> are no more updates. If any occur, that couple weeks will
shinelight> turn into a month or two. Keep updating like you have
shinelight> been without a decent Win32 base of developers doing beta
shinelight> testing and it'll be a year before I decide to get a
shinelight> "stable" release.
As far as I know, we have no plans of making any new release in the
next few weeks.
shinelight> Personally, I wouldn't mind if the OpenSSL team just made
shinelight> binaries for Windows.
Some time ago on this list, I asked for people willing to create
binaries of OpenSSL for different platforms, and make them public.
We'd be happy to point at sites that would consistently do that. I
don't quite recall if there was any response, but sometimes I see
someone answering questions about binaries (the latest responded that
there are compiled DLLs available at the STunnel site).
I would love to see a complete install kit that installs OpenSSL on
Windows, just as any other piece of software. I do not have the
resources or the knowledge to do that myself, however, and I've no
idea if anyone else on the team does either.
One thing that makes distribution of binaries world-wide tricky is
patents on some algorithms in some countries... That is, like it or
not, something one has to look into and deal with.
shinelight> Most Windows developers don't like to waste time figuring
shinelight> out how to build massive projects like OpenSSL (I've built
shinelight> several, including OpenSSL, and none of them are
shinelight> fun...with minimal, usually uninformative documentation on
shinelight> the Win32 build and lots of docs on the *nix builds -
shinelight> unfairly treating *nix users to better, well-designed,
shinelight> well-written docs).
If you have complaints about INSTALL.W32, nothing stops you from
providing a change proposal. I find it adequate for my needs...
What usually gets me is that on Windows, there is a number of ways to
build, while on Unix, you do it one way (at least as far as I know,
and as long as you don't deal with shared libraries, for which there
are a number of extra support scripts. We're working on that).
shinelight> We like binaries. Windows developers have tools to
shinelight> extract the needed information from DLLs into LIBs to
shinelight> enable us to get back to what we were doing...Oh! Yeah!
shinelight> Right. I was programming! (I almost forgot...got
shinelight> side-tracked with this OpenSSL build thingie).
Oh, I'm sorry, does the build of OpenSSL stop you from using an editor
at the same time, or building your own application as well?
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
