At 02:40 AM 8/10/2002 +0200, Richard Levitte - VMS Whacker writeth: >In message <[EMAIL PROTECTED]> on Fri, 09 Aug 2002 19:39:14 -0400, "Thomas J. Hruska" <[EMAIL PROTECTED]> said: > >So, the question comes back to you, in reference to 0.9.6{e,f,g}: >would you rather have us having waited a little more, and run the risk >of having your Apache+modd_ssl or Apache-SSL server (assuming you run >anything based on OpenSSL, otherwise you need to imagine yourself in >that position) cracked, or have your computer cracked because you ran >an OpenSSL-based client against an malicious server? From *that* >point of view, I think we acted in a responsible way.
Perhaps. I personally wouldn't have minded as much if the following actions were taken: 1) The OpenSSL team receives notice of the security flaws in OpenSSL and notifies via [ANNOUNCE] that they exist and schedule a fix release date. 2) The OpenSSL team then proceeds to fix the source. 3) Use [ANNOUNCE] to notify the lists that the latest CVS tree has fixes for the security issues. This allows for people to make sure it works for all platforms. 4) On the fix release date, announce the release. At most you would need two updates, but this would allow for a couple days for people to make sure it compiles cleanly. OR Forward me a notice of major CVS updates... http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL >shinelight> Personally, I wouldn't mind if the OpenSSL team just made >shinelight> binaries for Windows. > >Some time ago on this list, I asked for people willing to create >binaries of OpenSSL for different platforms, and make them public. I'm willing! Well, for Win32 anyway: http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL (Same link as before) I'd like to start developing a team for this extension, but first I need to set up a system that everyone can work with. <beg>So, Windows lovers, _please_ don't start bombarding me with requests to join yet.</beg> >We'd be happy to point at sites that would consistently do that. I >don't quite recall if there was any response, but sometimes I see >someone answering questions about binaries (the latest responded that >there are compiled DLLs available at the STunnel site). > >I would love to see a complete install kit that installs OpenSSL on >Windows, just as any other piece of software. I do not have the >resources or the knowledge to do that myself, however, and I've no >idea if anyone else on the team does either. I do: <http://www.innosetup.com/> InnoSetup is what Shining Light Productions uses for scripted packaging for automated distribution. There are multiple ways to access the scripting engine. The favored method is the command-line iscc tool. InnoSetup has its own language with very detailed help. It is also freeware and the license allows for both commercial and non-commercial use. >One thing that makes distribution of binaries world-wide tricky is >patents on some algorithms in some countries... That is, like it or >not, something one has to look into and deal with. InnoSetup has the ability to create customized installations. I'd recommend changing OpenSSL to accept a configuration (INI) file for algorithm selection. That way multiple binaries won't have to be built and all countries can be supported (multiple configs will have to be created, but that shouldn't be too difficult and won't occupy much space). Hope this helps! Thomas J. Hruska -- [EMAIL PROTECTED] Shining Light Productions -- "Meeting the needs of fellow programmers" http://www.shininglightpro.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
