On Fri, Jun 06, 2014 at 10:26:48AM +0400, Solar Designer wrote:
> On Thu, Jun 05, 2014 at 04:38:24PM -0600, Theo de Raadt wrote:
> > Kurt and Solar --
> >
> > You are the primary contacts for the oss-security email list.
>
> Kurt is not.
Sorry for going slightly off-topic, since this is not an O
On Sun, Jun 08, 2014 at 10:38:50AM +0200, Francois Ambrosini wrote:
> I am a mere user who happened to spot an inconsistency and wanted to
> inform all parties.
I appreciate the constructive nature of your messages.
> I will not comment on your guesses and opinions with information I do
> not hav
On Sat, 7 Jun 2014 14:19:33 +0400
Solar Designer wrote:
> On Sat, Jun 07, 2014 at 09:13:36AM +0200, Francois Ambrosini wrote:
> > On Sat, 7 Jun 2014 07:04:47 +0400
> > Solar Designer wrote:
> >
> > > Being on the distros list is not mandatory to receive advance
> > > notification of security is
On 2014-06-07, Maxime Villard wrote:
> What gives LibreSSL more credibility? There's almost nothing new or
> innovative in it; it's just a cleaned up copy of OpenSSL. There might
> be some changes in the future, but you can be sure that LibreSSL will
> lag behind OpenSSL - and most of the code wil
previously on this list Giancarlo Razzolini contributed:
> > What gives LibreSSL more credibility? There's almost nothing new or
> > innovative in it; it's just a cleaned up copy of OpenSSL.
> You should do your homework.
Too right, also those previous two lines showed he has no clue about
real
On 06/06/2014 10:04 PM, Solar Designer wrote:
> OpenBSD having declined to use the tool shouldn't be interpreted e.g. by
> OpenSSL as a reason not to notify LibreSSL directly.
It seems worth noting that OpenBSD 5.5, the current release that many
people are running, incorporates OpenSSL, not Libre
Em 07-06-2014 03:38, Maxime Villard escreveu:
> But the devs preferred to fork and now blame people. So, no, I don't
> think LibreSSL will prevail, simply because it has - and will have -
> nothing new and because it has no credibility.
You should really take a look at the source code. If you're si
On 07 Jun 2014, at 08:38, Maxime Villard wrote:
> Contributing code upstream would have been a way more productive
> approach;
It's already been stated that working with upstream is out of
the question for at least the following reasons:
* Bugs linger unattended for years.
* The code style is
On Sat, Jun 07, 2014 at 09:13:36AM +0200, Francois Ambrosini wrote:
> On Sat, 7 Jun 2014 07:04:47 +0400
> Solar Designer wrote:
>
> > Being on the distros list is not mandatory to receive advance
> > notification of security issues. The list is just a tool. People
> > reporting security issues
Le 07/06/2014 05:41, Eric Furman a écrit :
>
> On Fri, Jun 6, 2014, at 07:28 AM, Maxime Villard wrote:
>> Le 06/06/2014 12:47, Eric Furman a écrit :
>>>
>>> On Fri, Jun 6, 2014, at 04:20 AM, Renaud Allard wrote:
On 06/06/2014 05:18 AM, Eric Furman wrote:
> On Thu, Jun 5, 2014, at 08:36 PM
On Sat, 7 Jun 2014 07:04:47 +0400
Solar Designer wrote:
> To clarify and for the record:
>
> Being on the distros list is not mandatory to receive advance
> notification of security issues. The list is just a tool. People
> reporting security issues to the distros list are encouraged to also
>
Em 07-06-2014 00:04, Solar Designer escreveu:
> tools and ethics are separate things
It seems like you got to the real issue now.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
To clarify and for the record:
Being on the distros list is not mandatory to receive advance
notification of security issues. The list is just a tool. People
reporting security issues to the distros list are encouraged to also
"notify upstream projects/developers of the affected software, other
Le 06/06/2014 12:47, Eric Furman a écrit :
>
> On Fri, Jun 6, 2014, at 04:20 AM, Renaud Allard wrote:
>> On 06/06/2014 05:18 AM, Eric Furman wrote:
>>> On Thu, Jun 5, 2014, at 08:36 PM, Giancarlo Razzolini wrote:
Em 05-06-2014 21:23, David Goldsmith escreveu:
> Probably ipfilter
>
>>>
Em 06-06-2014 10:55, Dan Becker escreveu:
> As a simple user who influences these decisions in deployments, I can
> tell you my desire is to ssh tunnel all my openssl connections until
> the guys who make SSH finish fixing ssl.
>
> Look at SSH's track record compared to OpenSSL.
>
> It's not pract
Giancarlo Razzolini wrote:
Writing in caps doesn't make your assumption correct. I'd really like
that everybody would switch to LibreSSL. But It will not be as simple as
you are putting. First of all, there are lots of money involved. And
now, even more, because the Linux Foundation is funding O
On 6 June 2014 14:38, Giancarlo Razzolini wrote:
> Em 06-06-2014 07:47, Eric Furman escreveu:
>
...
> talking about. Funny thing, that I didn't needed to change any of my
> banking passwords.
I don't know what, if anything, you're implying there.
Banks are generally conservative places IT-wis
Em 06-06-2014 07:47, Eric Furman escreveu:
> This is a joke, right? I think you are sadly misinformed.
> This is OPEN SOFTWARE. Vendors will choose the least problematic
> software.
> You are naive.
> I think you underestimate the intelligence of SSL Vendors.
> Free software is fantastic, we all b
Hi,
Since I've seen many commits yesterday on cvs@ and no errata yet,
I'd like to ask if the current snapshots (05/06/2014) are updated with
the patches in question?
Should we wait for more to come or are these adequate?
Specificaly
i386/ (base55.tgz) =
8abfa9412a017e04ca6ff4f49a27d2dacd75049
On 06/06/14 15:24, Markus Rosjat wrote:
Let's hope then that when LibreSSL is in production it will not share
the same vulnerabilities with OpenSSL. Otherwise, what's the point?
G
well I don't know much but the point in removing 90k of c code lines
from something that is messed up means to
Am 06.06.2014 14:15, schrieb Kapetanakis Giannis:
On 06/06/14 14:49, Dmitrij D. Czarkoff wrote:
Eric Furman said:
Given the current circumstances Libre.SSL WILL prevail.
I hope you are right, but I actually believe that the circumstances of
this thread may work against LibreSSL - most likely t
On 06/06/14 14:49, Dmitrij D. Czarkoff wrote:
Eric Furman said:
Given the current circumstances Libre.SSL WILL prevail.
I hope you are right, but I actually believe that the circumstances of
this thread may work against LibreSSL - most likely the time difference
between vulnerability disclosure
Eric Furman said:
> Given the current circumstances Libre.SSL WILL prevail.
I hope you are right, but I actually believe that the circumstances of
this thread may work against LibreSSL - most likely the time difference
between vulnerability disclosure and patches for LibreSSL would be
percieved as
On 06/06/2014 12:47 PM, Eric Furman wrote:
>
> That's a valid opinion, but as I said, I doubt it.
> Vendors aren't stupid. With all that has happened lately,
> given a choice the switch will not take long.
>
>
>> Given a choice, perhaps. But some will stick with OpenSSL only because
>> they want th
On Fri, Jun 6, 2014, at 04:20 AM, Renaud Allard wrote:
> On 06/06/2014 05:18 AM, Eric Furman wrote:
> > On Thu, Jun 5, 2014, at 08:36 PM, Giancarlo Razzolini wrote:
> >> Em 05-06-2014 21:23, David Goldsmith escreveu:
> >>> Probably ipfilter
> >>>
> >>>
> >> http://christopher-technicalmusings.blogs
On 06/06/2014 05:18 AM, Eric Furman wrote:
On Thu, Jun 5, 2014, at 08:36 PM, Giancarlo Razzolini wrote:
Em 05-06-2014 21:23, David Goldsmith escreveu:
Probably ipfilter
http://christopher-technicalmusings.blogspot.com/2009/03/switching-firewalls-from-ipf-to-pf-on.html
If it is indeed ipfi
Theo,
On Thu, Jun 05, 2014 at 04:38:24PM -0600, Theo de Raadt wrote:
> Kurt and Solar --
>
> You are the primary contacts for the oss-security email list.
Kurt is not. I guess the reason why you got such impression was because
Kurt invited you to join distros recently, not knowing that you had
Miod Vallat [m...@online.fr] wrote:
> > Now you have and example of how they are unwilling to work with you next
> > time someone asks why not work with OpenSSL on fixing it. Pretty direct
> > proof.
>
> The culture gap between OpenSSL and OpenBSD/LibreSSL is UNFIXABLE.
>
> We believe in peer re
> I suggest you talk to Mark Cox who actually handled this stuff. I'm not
> sure why you are asking two people (myself and Solar) who are NOT part of
> the OpenSSL team about whom the OpenSSL team notified.
Kurt, if Mark Cox is the person who handled this stuff, fine. Who
cares? I am hearing cl
On Thu, Jun 5, 2014, at 08:36 PM, Giancarlo Razzolini wrote:
> Em 05-06-2014 21:23, David Goldsmith escreveu:
> > Probably ipfilter
> >
> >
> http://christopher-technicalmusings.blogspot.com/2009/03/switching-firewalls-from-ipf-to-pf-on.html
> >
> If it is indeed ipfilter, I don't think OpenSSL wil
On Jun 5, 2014, at 8:09 PM, Giancarlo Razzolini wrote:
> Em 05-06-2014 20:45, Eric Furman escreveu:
>> I predict that within a year OpenSSL will go the way of IPF.
>> For much the same reason...
>>
> IPF? Care to elaborate?
>
> --
> Giancarlo Razzolini
> GPG: 4096R/77B981BC
Probably ipfilter
ht
Em 05-06-2014 21:23, David Goldsmith escreveu:
> Probably ipfilter
>
>
http://christopher-technicalmusings.blogspot.com/2009/03/switching-firewalls-from-ipf-to-pf-on.html
>
If it is indeed ipfilter, I don't think OpenSSL will have the same fate.
There is lots of money on it, and even more now, that
On Thu, Jun 5, 2014 at 5:09 PM, Giancarlo Razzolini
wrote:
> Em 05-06-2014 20:45, Eric Furman escreveu:
>> I predict that within a year OpenSSL will go the way of IPF.
>> For much the same reason...
>>
> IPF? Care to elaborate?
Well, in 2001 there was this drama around Darren Reed's IPF, that
cau
I may also remind people that those lists are acknowledged right at the top
as experimental. They also do not allow for non personal subscriptions, so
they aren't very practical for this. What if I was away for a day or
three.. Or more.. Essentially this is a nice experiment, but not really a
p
Em 05-06-2014 20:45, Eric Furman escreveu:
> I predict that within a year OpenSSL will go the way of IPF.
> For much the same reason...
>
IPF? Care to elaborate?
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
I predict that within a year OpenSSL will go the way of IPF.
For much the same reason...
On 2014/06/05 20:43, Martin, Matthew wrote:
> > That's exactly my though. Specially, because FreeBSD and NetBSD were
> > warned, but not OpenBSD. If this was only a rant or any childish
> > behavior from them, it's something stupid and, of course, not the right
> > thing to do. But hey, we're all h
Em 05-06-2014 19:43, Bob Beck escreveu:
> For the record, we didn't get advance notice of Heartbleed either, so
> this is nothing new.
Bob,
I didn't knew that. I feel like I've released a monster (Cthulhu
anyone?). I was just curious when I asked Theo if this did happened
before. It's possible
We are not on a linux distros mailing list, because we are not a linux
distribution. And this private mailing list is not really an
acknowledged conduit for vulnerability release.
I was asked by someone privately if *I* would be on that mailing list
on June 2nd.
I said I would consider it, but as
> Not saying I believe or disbelieve him, but it can't hurt to join even
> if it is only until 5.6 comes out.
Another way to phrase this is
The OpenBSD user community should accept they have suffered
because Theo declined an invitation to a private email list,
entirely unrelated to th
> > That's exactly my though. Specially, because FreeBSD and NetBSD were
> > warned, but not OpenBSD. If this was only a rant or any childish
> > behavior from them, it's something stupid and, of course, not the right
> > thing to do. But hey, we're all human. My real concern is if this
> > somethi
> That's exactly my though. Specially, because FreeBSD and NetBSD were
> warned, but not OpenBSD. If this was only a rant or any childish
> behavior from them, it's something stupid and, of course, not the right
> thing to do. But hey, we're all human. My real concern is if this
> something else, a
> >Is clear that the second process -- intending to also take an ethical
> >path for disclosure -- should not specifically exclude a part of the
> >community.
>
> They specifically exclude parts of the community that specifically
> say they don't want to be INCLUDED.
>
> See: http://seclists.org/
On 6/5/2014 4:02 PM, Miod Vallat wrote:
Now you have and example of how they are unwilling to work with you next
time someone asks why not work with OpenSSL on fixing it. Pretty direct
proof.
The culture gap between OpenSSL and OpenBSD/LibreSSL is UNFIXABLE.
We believe in peer review; they
On Thu, Jun 05, 2014 at 08:02:58PM +, Miod Vallat wrote:
>
> If you can't trust people to apply one-liner fixes correctly, can you
> trust them for anything serious?
I really don't like to point fingers, but...
It is done by the same people that introduced
the Debian random number bug back
> Now you have and example of how they are unwilling to work with you next
> time someone asks why not work with OpenSSL on fixing it. Pretty direct
> proof.
The culture gap between OpenSSL and OpenBSD/LibreSSL is UNFIXABLE.
We believe in peer review; they don't give a sh*t about it (as shown
le
On 6/5/2014 3:27 PM, Theo de Raadt wrote:
Unfortunately I find myself believing reports that the OpenSSL people
intentionally asked others for quarantine, and went out of their way
to ensure this information would not come to OpenBSD and LibreSSL.
There, I've said it.
Now you have and examp
Em 05-06-2014 16:27, Theo de Raadt escreveu:
> There are two main open-source processes for dealing with discovery of
> security issues and disclosure of that information to the greater
> community.
>
> - One common process is that generally followed by OpenBSD. In this
> proocess a bug is found
There are two main open-source processes for dealing with discovery of
security issues and disclosure of that information to the greater
community.
- One common process is that generally followed by OpenBSD. In this
proocess a bug is found, and a fix is commited as soon as the
improvement is
Em 05-06-2014 15:57, Theo de Raadt escreveu:
>> Em 05-06-2014 15:42, dera...@cvs.openbsd.org escreveu:
>>> We are sorry that the errata for these libssl security issues are not
>>> up yet.
>>>
>>> The majority of these issues are in our ssl library as well.
>>>
>>> Most other operating system vendo
> Em 05-06-2014 15:42, dera...@cvs.openbsd.org escreveu:
> > We are sorry that the errata for these libssl security issues are not
> > up yet.
> >
> > The majority of these issues are in our ssl library as well.
> >
> > Most other operating system vendors have patches available, but that
> > is bec
Em 05-06-2014 15:42, dera...@cvs.openbsd.org escreveu:
> We are sorry that the errata for these libssl security issues are not
> up yet.
>
> The majority of these issues are in our ssl library as well.
>
> Most other operating system vendors have patches available, but that
> is because they were (
We are sorry that the errata for these libssl security issues are not
up yet.
The majority of these issues are in our ssl library as well.
Most other operating system vendors have patches available, but that
is because they were (obviously) given a heads up to prepare them over
the last few days.
53 matches
Mail list logo
