[sage-devel] Re: Incorrect GAP3 tarball on mirrors

Thank you, Travis On Thursday, October 26, 2017 at 5:32:04 AM UTC+10, Volker Braun wrote: > > I updated the file, should take a while to propagate to the mirrors. > > On Wednesday, October 25, 2017 at 10:52:27 AM UTC+2, Travis Scrimshaw > wrote: >> >> I just tried to install GAP3 and it resulted

Re: [sage-devel] Sagemath mirrors security issues

Serving over https is very easy nowadays, thanks to letsencrypt. Nonetheless, it may take some time for all mirrors to switch to it. Switching to sha-256 hashes is a much more trivial change, which can be rolled out almost overnight. In the same vein, on the download page only md5 hashes are list

Re: [sage-devel] Sagemath mirrors security issues

On 10/25/2017 04:29 PM, Emmanuel Charpentier wrote: > Ouch ! The security proble so well explained by William turns out to be > a much larger "social" problem... > > Worth atacking ? > Not really... you can get commit access to sage.git by asking nicely. Ultimately, HTTPS is pointless unless yo

Re: [sage-devel] Sagemath mirrors security issues

On Wed, Oct 25, 2017 at 1:29 PM Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote: > Ouch ! The security proble so well explained by William turns out to be a > much larger "social" problem... > > > Worth attacking ? > I think it's better to think of computer security as being about a

Re: [sage-devel] Implementation plan : inclusion of OpenSSL

I see... I'll try to think of an alternative, if that turns out to be an unpassable obstacle. -- Emmanuel Charpentier Le mercredi 25 octobre 2017 21:37:59 UTC+2, Michael Orlitzky a écrit : > > On 10/25/2017 12:14 PM, Emmanuel Charpentier wrote: > > Can you explain how the Wget case is differen

Re: [sage-devel] Sagemath mirrors security issues

Ouch ! The security proble so well explained by William turns out to be a much larger "social" problem... Worth atacking ? -- Emmanuel Charpentier Le mercredi 25 octobre 2017 21:45:37 UTC+2, Volker Braun a écrit : > > Pretty much anybody can host a download mirror by sending Harald an email, >

Re: [sage-devel] Sagemath mirrors security issues

Pretty much anybody can host a download mirror by sending Harald an email, so requiring https to download files doesn't mean much. On Wednesday, October 25, 2017 at 6:32:26 PM UTC+2, William wrote: > > > On Wed, Oct 25, 2017 at 9:12 AM Emmanuel Charpentier < > emanuel.c...@gmail.com > wrote: >

Re: [sage-devel] Implementation plan : inclusion of OpenSSL

On 10/25/2017 12:14 PM, Emmanuel Charpentier wrote: > Can you explain how the Wget case is different from ours ? A single entity (the FSF) owned the copyright on all of the code in wget when they changed the license to add the exception. The same is not true of SageMath: we don't have copyright as

[sage-devel] Re: Incorrect GAP3 tarball on mirrors

I updated the file, should take a while to propagate to the mirrors. On Wednesday, October 25, 2017 at 10:52:27 AM UTC+2, Travis Scrimshaw wrote: > > I just tried to install GAP3 and it resulted in an error saying the > checksums did not match. I suspect the one on the mirror is the one from > t

Re: [sage-devel] Proposal : a branch for OpenSSL-less Sage

Le mercredi 25 octobre 2017 18:10:50 UTC+2, vdelecroix a écrit : You are suggesting to reread a very long thread... not very useful to > get new people involved. A summary is available , the final tally being here

Re: [sage-devel] Sagemath mirrors security issues

On Wed, Oct 25, 2017 at 9:12 AM Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote: > During the [discussion]( > https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) of > the inclusion of OpenSSL, a few remarks were mafdeabout the security of our > distribution infrastruct

Re: [sage-devel] Proposal : a branch for OpenSSL-less Sage

Le mercredi 25 octobre 2017 18:10:02 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-25 18:01, Emmanuel Charpentier wrote: > > Your inputs, please ? > > I think it is completely pointless. And it's never going to work in > practice... nobody is going to want to maintain that branch. > Maybe p

Re: [sage-devel] Proposal : a branch for OpenSSL-less Sage

Le mercredi 25 octobre 2017 18:10:50 UTC+2, vdelecroix a écrit : > > You are suggesting to reread a very long thread... not very useful to > get new people involved. A summary is [available](https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ), the final tally being [here](

Re: [sage-devel] Sagemath mirrors security issues

On Wed, Oct 25, 2017 at 6:12 PM, Emmanuel Charpentier wrote: > During the > [discussion](https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) > of the inclusion of OpenSSL, a few remarks were mafdeabout the security of > our distribution infrastructure. > > > It has been noted that

Re: [sage-devel] Re: Implementation plan : inclusion of OpenSSL

Le mercredi 25 octobre 2017 18:10:10 UTC+2, Erik Bray a écrit : > > On Wed, Oct 25, 2017 at 5:42 PM, Emmanuel Charpentier > > wrote: > > I need an example of a standard package not installed if present > systemwide > > : I know there are some, but can't retrieve it right now... > > gcc >

Re: [sage-devel] Implementation plan : inclusion of OpenSSL

Can you explain how the Wget case is different from ours ? -- Emmanuel Charpentier Le mercredi 25 octobre 2017 18:12:10 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-25 17:38, Emmanuel Charpentier wrote: > > The incompatibility between GPL and OpenSSL Licenses does not seem to > > amount to mu

[sage-devel] Sagemath mirrors security issues

During the [discussion](https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) of the inclusion of OpenSSL, a few remarks were mafdeabout the security of our distribution infrastructure. It has been noted that http is ridiculously easy to hijack

Re: [sage-devel] Implementation plan : inclusion of OpenSSL

On 2017-10-25 17:38, Emmanuel Charpentier wrote: The incompatibility between GPL and OpenSSL Licenses does not seem to amount to much This is a very dubious statement. And the rest of your implementation plan depends on this, so we should really think about this. For example, a lot depends o

Re: [sage-devel] Proposal : a branch for OpenSSL-less Sage

On Wed, Oct 25, 2017 at 6:09 PM, Jeroen Demeyer wrote: > On 2017-10-25 18:01, Emmanuel Charpentier wrote: >> >> Your inputs, please ? > > > I think it is completely pointless. And it's never going to work in > practice... nobody is going to want to maintain that branch. Agreed; it's completely un

Re: [sage-devel] Proposal : a branch for OpenSSL-less Sage

You are suggesting to reread a very long thread... not very useful to get new people involved. As far as I understand there are distinct things: A) distributing Sage sources (which has few to do with SSL) B) building Sage with or without SSL support C) distributing Sage binaries with or w

Re: [sage-devel] Re: Implementation plan : inclusion of OpenSSL

On Wed, Oct 25, 2017 at 5:42 PM, Emmanuel Charpentier wrote: > I need an example of a standard package not installed if present systemwide > : I know there are some, but can't retrieve it right now... gcc > Le mercredi 25 octobre 2017 17:38:20 UTC+2, Emmanuel Charpentier a écrit : >> >> Proposal

Re: [sage-devel] Proposal : a branch for OpenSSL-less Sage

On 2017-10-25 18:01, Emmanuel Charpentier wrote: Your inputs, please ? I think it is completely pointless. And it's never going to work in practice... nobody is going to want to maintain that branch. -- You received this message because you are subscribed to the Google Groups "sage-devel" g

[sage-devel] Proposal : a branch for OpenSSL-less Sage

The recent vote on the inclusion of OpennSSL in Sage has shown that some Sage developers [wished](https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) to keep the ability to build Sage without dependence on this contentious library. I think that this can be implemented, thanks

Re: [sage-devel] Implementation plan : inclusion of OpenSSL

On 25 October 2017 at 16:38, Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote: > Proposal for implementation of OpenSSL inclusion in Sage. > > The inclusion of OpenSSL in Sage has been decided > > after a long and fru

[sage-devel] Re: Implementation plan : inclusion of OpenSSL

I need an example of a standard package not installed if present systemwide : I know there are some, but can't retrieve it right now... -- Emmanuel Charpentier Le mercredi 25 octobre 2017 17:38:20 UTC+2, Emmanuel Charpentier a écrit : > > Proposal for implementation of OpenSSL inclusion in Sage.

[sage-devel] Implementation plan : inclusion of OpenSSL

Proposal for implementation of OpenSSL inclusion in Sage. The inclusion of OpenSSL in Sage has been decided after a long and fruitful discussion . Now rem

Re: [sage-devel] Re: How do I overwrite comparison for modules?

Just never ever override double underscore __richtcmp__ for elements. Yes, that is a very good point to make and reinforce. Same for __add__, __mul__ and so on... except if you explicitly want to bypass the coercion model (which is not fully supported anyway, see #24066) -- You recei

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 25 octobre 2017 12:01:45 UTC+2, Erik Bray a écrit : > > On Wed, Oct 25, 2017 at 3:56 AM, William Stein > wrote: > > > > On Tue, Oct 24, 2017 at 3:08 PM Eric Gourgoulhon > > > wrote: > >> > >> Thanks Emmanuel for the discussion summary. > >> > >> > >> Le mardi 24 octobre 2017

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

I'd rathet discuss this in the to be openedReal Soon Now) proposal for implementation. -- Emmanuel Charpentier Le mercredi 25 octobre 2017 11:57:13 UTC+2, Erik Bray a écrit : > > (Sorry for the multiple replies--there are just a lot of disparate > issues touched on in this message that I think

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 25 octobre 2017 11:46:38 UTC+2, Erik Bray a écrit : > > Hi Emmanuel, > > On Tue, Oct 24, 2017 at 8:58 PM, Emmanuel Charpentier > > wrote: > > Similarly, I am still in the dark about the ability of our Cygwin port > to > > ensure the availability of the Cygwin-ported OpenSSL libra

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 25 octobre 2017 11:42:32 UTC+2, Erik Bray a écrit : > > On Wed, Oct 25, 2017 at 12:08 AM, Eric Gourgoulhon > > wrote: > > Thanks Emmanuel for the discussion summary. > > > > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : > >> > >> > >> It is true. But w

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Le mercredi 25 octobre 2017 10:41:15 UTC+2, Jeroen Demeyer a écrit : > > On 2017-10-25 00:08, Eric Gourgoulhon wrote: > > I have the feeling that the current tendency is towards a more modular > > and lighter Sage, which deviates from the original "batteries included" > > philosophy. > > I wo

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wed, Oct 25, 2017 at 3:56 AM, William Stein wrote: > > On Tue, Oct 24, 2017 at 3:08 PM Eric Gourgoulhon > wrote: >> >> Thanks Emmanuel for the discussion summary. >> >> >> Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : >>> >>> >>> It is true. But we are hoisted by our

Re: [sage-devel] How do I overwrite comparison for modules?

Okay I made it work with __richcmp__ as suggested. Please review :-) . On Tuesday, October 24, 2017 at 7:53:46 AM UTC+2, Simon Brandhorst wrote: > > Ahhh > > On Monday, October 23, 2017 at 6:09:02 PM UTC+2, David Roe wrote: >> >> >> >> On Mon, Oct 23, 2017 at 8:24 AM, Simon Brandhorst >> wrot

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

(Sorry for the multiple replies--there are just a lot of disparate issues touched on in this message that I think would be confusing to reply to all at once). On Tue, Oct 24, 2017 at 8:58 PM, Emmanuel Charpentier wrote: > This point of view is of course incompatible with the result of the vote. >

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

Hi Emmanuel, On Tue, Oct 24, 2017 at 8:58 PM, Emmanuel Charpentier wrote: > Similarly, I am still in the dark about the ability of our Cygwin port to > ensure the availability of the Cygwin-ported OpenSSL library and development > files. Again, Erik's expertise will be needed during implementatio

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On Wed, Oct 25, 2017 at 12:08 AM, Eric Gourgoulhon wrote: > Thanks Emmanuel for the discussion summary. > > Le mardi 24 octobre 2017 20:58:17 UTC+2, Emmanuel Charpentier a écrit : >> >> >> It is true. But we are hoisted by our own petard : from our tutorial : >> "The Sage download file comes with

[sage-devel] Incorrect GAP3 tarball on mirrors

I just tried to install GAP3 and it resulted in an error saying the checksums did not match. I suspect the one on the mirror is the one from the second link in #23405 rather than the first as I was able to download the first linked tarball directly and i

Re: [sage-devel] Re: VOTE: inclusion of OpenSSL in Sage

On 2017-10-25 00:08, Eric Gourgoulhon wrote: I have the feeling that the current tendency is towards a more modular and lighter Sage, which deviates from the original "batteries included" philosophy. I would like to keep "batteries OPTIONALLY included". This means: use system software if possi