Fair point, but a change from one to the other may be preferable for philosophical reasons, but practically I - and others - need to be able as users to make a determination what we want to accept and what not, instead of being forced into one direction. And, as tool writer and user (not frontend writer) I need to be able to override such things mechanically, i.e. without further user interaction.
> Gesendet: Montag, 26. Juni 2017 um 10:04 Uhr > Von: "Jaak Ristioja" <j...@ristioja.ee> > An: sword-devel@crosswire.org > Betreff: Re: [sword-devel] SWORD 1.8.0RC3 > > Overriding this setting was never possible with Sword in the first place. > > On 26.06.2017 11:05, ref...@gmx.net wrote: > > As a user I would want to be able to override this, does this patch make > > this impossible? > > > > Sent from my mobile. Please forgive shortness, typos and weird autocorrects. > > > > > > -------- Original Message -------- > > Subject: Re: [sword-devel] SWORD 1.8.0RC3 > > From: Jaak Ristioja > > To: sword-devel@crosswire.org > > CC: > > > > > > Sure! Verifying TLS certificates is explicitly disabled the file > > > > src/mgr/curlhttpt.cpp > > > > by the lines: > > > > /* Disable checking host certificate */ > > curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false); > > > > I've attached a patch for Sword SVN trunk which removed these lines. For > > the Sword++ commit, see > > > > https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6 > > > > J > > > > > > On 26.06.2017 04:10, Greg Hellings wrote: > > > Jaak, > > > > > > Can you provide a version of that patch for 1.7 (and 1.8, if there > > is a > > > difference)? Or point me to where it lives? I will definitely wrap > > that > > > into the packaging for Fedora and SuSE as it is absolutely > > inappropriate > > > to have SSL checking skipped at the library level without it being a > > > very explicit step for users. > > > > > > If Troy won't fix this glaring security hole, it can at least be fixed > > > by the packagers. I would encourage any Debian and/or Ubuntu users to > > > file bugs against Sword packaging in their environments (if their > > > maintainer isn't here) and the same for any other distribution users. > > > > > > --Greg > > > > > > On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote: > > > > > > Regarding TLS, I think the choice of whether to trust a self-signed > > > certificate should explicitly be left to the user at run-time (e.g > > like > > > browsers do), rather than blindly accepting any (even expired?) > > > certificates. > > > > > > Regarding the other fix, frontends can (and already do) handle > > threading > > > by themselves, but afaik even for a single-threaded process the > > > callbacks accepted by Sword have no direct means to terminate the > > > installation process (e.g. by return value, or via a another callback > > > provided to the callback). So it seems that you're either saying that > > > > > > 1) Sword users have no means to terminate potentially long-running > > > processes (and there's no plan to add such means), or > > > 2) RemoteTransport::terminate() should never be called separately, but > > > exclusively only from inside callbacks invoked by Sword. > > > > > > In the latter case, this should be made clear in the documentation. > > > > > > Blessings, > > > J > > > > > > On 25.06.2017 21 :53, Troy A. Griffitts wrote: > > > > We have included some of your patches in the past (thank you > > > again), but > > > > not these. The first is intentional. We want to work with self > > signed > > > > certs if necessary. Non of our content is private, only the fact > > > that a > > > > user might access our server and for this, we ask all our > > frontends to > > > > warn against this for persecuted countries. The second goes > > > against our > > > > policy in the library that all threading should be handled by the > > > > client, not the library. The client should instantiate an > > > InstallMgr in > > > > its own thread and register threads are callbacks, if they wish to > > > > install in the background. If we start trying to handle threading > > > in the > > > > library itself, it is a huge switch from current policy and > > depends on > > > > support for threading in all our compilers. Easy enough to just > > > > instantiate separate SWMgr instances per thread. But thank you for > > > offering. > > > > Troy > > > > > > > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja > > > > > > > > wrote: > > > > > > > > Hi Troy! > > > > > > > > It seems that no fixes from Sword++ were considered for > > > inclusion in SVN > > > > trunk, not even the two I explicitly proposed on this list in > > > response > > > > to the RC2 announcement: one fixing hangs in front ends and > > > the other > > > > fixing a pure security negligence which rendered SSL/TLS > > > susceptible to > > > > MitM attacks. > > > > > > > > ?!?! > > > > > > > > J > > > > > > > > On 25.06.2017 18 :51, Troy A. Griffitts > > > wrote: > > > > > > > > Again, thank you to all the testers and reporters of problems > > > > for the > > > > previous RC and those who contributed fixes. Hopefully, this > > > > will stand > > > > any scrutiny and become 1.8.0. Please let me know if you have > > > > any feedback. > > > > > > > > > > > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz > > > > > > > > > > > > > > > Included since last RC: > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) | > > > > 2 lines > > > > > > > > Reworked strongs and lemma filters to better support any combo > > > > of toggle > > > > Added osisxhtml lemma type= support for other than Greek, Hebrew > > > > strongs > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) | > > > > 3 lines > > > > > > > > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp > > > > > > > > also updated CMakeList.txt to build new examples > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) | > > > > 1 line > > > > > > > > added listbiblebooknames example > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) | > > > > 1 line > > > > > > > > added flatapi installmgr example > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) | > > > > 2 lines > > > > > > > > added Belarussian locale file > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) | > > > > 1 line > > > > > > > > French translation update (Contrib. from Cyrille) > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > sword-devel mailing list: sword-devel@crosswire.org > > > > http://www.crosswire.org/mailman/listinfo/sword-devel > > > > > > > Instructions to unsubscribe/change your settings at above page > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > sword-devel mailing list: sword-devel@crosswire.org > > > > http://www.crosswire.org/mailman/listinfo/sword-devel > > > > > > > Instructions to unsubscribe/change your settings at above page > > > > > > > > > > > > -- > > > > Sent from my Android device with K-9 Mail. Please excuse my brevity. > > > > > > > > > > > > _______________________________________________ > > > > sword-devel mailing list: sword-devel@crosswire.org > > > > http://www.crosswire.org/mailman/listinfo/sword-devel > > > > > > > Instructions to unsubscribe/change your settings at above page > > > > > > > > > > > > > _______________________________________________ > > > sword-devel mailing list: sword-devel@crosswire.org > > > > > > http://www.crosswire.org/mailman/listinfo/sword-devel > > > > > > Instructions to unsubscribe/change your settings at above page > > > > > > > > > > > > > > > _______________________________________________ > > > sword-devel mailing list: sword-devel@crosswire.org > > > http://www.crosswire.org/mailman/listinfo/sword-devel > > > Instructions to unsubscribe/change your settings at above page > > > > > > > > > _______________________________________________ > > sword-devel mailing list: sword-devel@crosswire.org > > http://www.crosswire.org/mailman/listinfo/sword-devel > > Instructions to unsubscribe/change your settings at above page > > > > > > > > _______________________________________________ > > sword-devel mailing list: sword-devel@crosswire.org > > http://www.crosswire.org/mailman/listinfo/sword-devel > > Instructions to unsubscribe/change your settings at above page > > > > > _______________________________________________ > sword-devel mailing list: sword-devel@crosswire.org > http://www.crosswire.org/mailman/listinfo/sword-devel > Instructions to unsubscribe/change your settings at above page > _______________________________________________ sword-devel mailing list: sword-devel@crosswire.org http://www.crosswire.org/mailman/listinfo/sword-devel Instructions to unsubscribe/change your settings at above page
