Re: OpenSSL roadmap
On Wed, Jul 2, 2014 at 10:42 PM, Salz, Rich rs...@akamai.com wrote: I write fixes for pieces of software that I depend on. Some time ago, I sent a diff for OpenSSL. Great, thanks. If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity scans ? Other Open Source projects have provided me access to their coverity scans, despite the fact that I'm not a committer. There are security concerns. For example, the recent heartbleed vulnerability exposed long-term private keys, and user password and all sorts of stuff. This makes OpenSSL software different from something like a packet dump or mail reader. I don't know what the scans say, and I understand your disappointment, but we really need to be careful about making vulnerability scans generally available. And then there is the question of where we draw the line. I am all in favor of responsible disclosure, but unfortunately the bad guys -- who, yes, may already have coverity or other scans -- are interested as well. I reported a vulnerability to FreeBSD (See: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:12.ifioctl.asc) by going through responsible disclosure process. Are you implying that I'm part of the bad guys ? I'm not asking for the scan results to be made public, but simply asking for my request not to be left pending on my coverity dashboard, as a contributor. I wish I could give you a nice answer. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl- d...@openssl.org] On Behalf Of Loganaden Velvindron Sent: Wednesday, July 02, 2014 2:24 PM To: openssl-dev@openssl.org Subject: Re: OpenSSL roadmap On Wed, Jul 2, 2014 at 9:48 PM, Salz, Rich rs...@akamai.com wrote: However, I feel that the developer group is a bit closed to outsiders. More communication and transparency is coming, as we have a bigger and more invigorated developer team. It will take time. But not everything will always be discussed in public mailing lists right away, parciularly around vulnerabilities. I requested access to the OpenSSL scan results on coverity, and up to now, my request is still pending :-( This could be an example of that. (I don't know, I haven't looked through any reports.) But I hope that you understand why there might be concerns about doing this. Are there other issues or examples that come to mind? /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL roadmap
No, I don't mean to imply that you are one of the bad guys. It's just that we have only one real way of knowing who the good guys are, and that is being part of the development team. Yes, that can be very inconvenient. Trust me, I know, it took more than 10 years for the team to open up and add me. :) I don't where your ticket is, but it should be closed. I know this frustrates you, and I'm sorry about that. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz
Re: OpenSSL roadmap
On Thu, Jul 3, 2014 at 3:10 PM, Salz, Rich rs...@akamai.com wrote: No, I don't mean to imply that you are one of the bad guys. It's just that we have only one real way of knowing who the good guys are, and that is being part of the development team. Yes, that can be very inconvenient. Trust me, I know, it took more than 10 years for the team to open up and add me. :) I don't where your ticket is, but it should be closed. I know this frustrates you, and I'm sorry about that. I see such trends as leading to dangerous situations in the future. OpenSSL is widely deployed, and the developers appear to grow older, according to the various interviews I read. (I don't wish to offend any of you guys here). What happens if something happens to the core developers ? Who will take over ? The roadmap is nice, but if we don't get young developers who can work their way to maintain the OpenSSL codebase, we're going to hit a huge problem, in 10 years :-( /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL roadmap
On 3 July 2014 13:01, Loganaden Velvindron logana...@gmail.com wrote: On Thu, Jul 3, 2014 at 3:10 PM, Salz, Rich rs...@akamai.com wrote: No, I don't mean to imply that you are one of the bad guys. It's just that we have only one real way of knowing who the good guys are, and that is being part of the development team. Yes, that can be very inconvenient. Trust me, I know, it took more than 10 years for the team to open up and add me. :) I don't where your ticket is, but it should be closed. Done. I know this frustrates you, and I'm sorry about that. I see such trends as leading to dangerous situations in the future. OpenSSL is widely deployed, and the developers appear to grow older, according to the various interviews I read. (I don't wish to offend any of you guys here). What happens if something happens to the core developers ? Who will take over ? The roadmap is nice, but if we don't get young developers who can work their way to maintain the OpenSSL codebase, we're going to hit a huge problem, in 10 years :-( I think your criticism might have been valid in the past - but not any longer. The team have recognised that new blood is required, and that is why the team has doubled in size in the last couple of months. Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL roadmap
On Thu, Jul 03, 2014 at 04:01:16PM +0400, Loganaden Velvindron wrote: I see such trends as leading to dangerous situations in the future. OpenSSL is widely deployed, and the developers appear to grow older, according to the various interviews I read. (I don't wish to offend any of you guys here). What happens if something happens to the core developers ? Who will take over ? The roadmap is nice, but if we don't get young developers who can work their way to maintain the OpenSSL codebase, we're going to hit a huge problem, in 10 years :-( There are two several issues being conflated here. One is how security disclosures get handled and who gets access to things like free open source Coverity scans. In the linux kernel, we do have a closed secur...@kernel.org list, but that's separate from those core maintainers, and things only kept quiet a relatively short period of time --- typically only a week, and the distributions know and expect that they need to turn around a new package in a short window of time, but that's Linus's strong preference since he doesn't believe a longer window does anything but reward incompetent release processes at various distributions. (Given that Microsoft has weekly patch Tuesdays, if even slow moving *Microsoft* can turn around a security update in a week, what's your excuse? :-) However, in the kernel we are much more lax about who gets access to the Coverity project. Part of this is the sure and certain knowledge that the bad guys are quite willing to pay for a Coverity license, and so for us the balance of increasing the pool of those can who are looking through the Coverity scans, and contribute to fix bugs, and thus grow the development community, tips in favor of being more open about who gets access to Coverity. This is in turn *completely* different from who participates in the development community. Note that with git, you don't have to have committer access in order to contribute. In fact, with Linux, only one person --- Linus Torvalds --- has access to merge in changes into the tree, and while we don't have a closed mailing list only open to committers, that's because Linus isn't known to be Schizophrenic, so he doesn't talk to himself, and he certainly doesn't need to conduct closed votes amongst himself. He's a *dictator*, after all. And yet, the Linux kernel has a pretty healthy development community. I'd submit that the better metric of developer community health is looking to see who has actually authored patches that have gotten merged into the git tree, on a monthly/quarterly/annual basis. And in fact, I'm trying to see if we can get the folks who are doing the annual who writes Linux reports can do a similar analysis on the OpenSSL git tree, and make the results public for all to see. After all, as the saying goes, you get what you measure. I personally think that sending patches for review on the mailing list is actually healthier than just hiding it in request tracker or github pull requests, since it invites a much larger set of people who has at least *looked* at the patch. But that's an implementation detail, and as someone who isn't an OpenSSL developer, I don't have standing to make suggestions like that. And also, does it matter? If a year from now, the statistics show that patches aren't getting merged from a growing set of people, one of the wonderful things about git is that it makes forks so much easier. And if a bunch of young Turks are upset that the old dinosaurs aren't letting them into the clubhouse, they can always fork the git repo and make their own version --- and that's a good thing. Because when it's that easy to fork, paradoxically it changes the incentives to make forks much less likely --- and if they do happen, git makes it a lot easier to merge and cherry pick changes back from forks into whatever development tree is acknowledged by the majority of the development and user community as being the mainline branch. It was really important to Linus Torvalds that his tree not be special compared to any other tree in the git forest, for this very reason. Cheers, - Ted __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL roadmap
On Čt, 2014-07-03 at 09:13 -0400, Theodore Ts'o wrote: However, in the kernel we are much more lax about who gets access to the Coverity project. Part of this is the sure and certain knowledge that the bad guys are quite willing to pay for a Coverity license, and so for us the balance of increasing the pool of those can who are looking through the Coverity scans, and contribute to fix bugs, and thus grow the development community, tips in favor of being more open about who gets access to Coverity. Yes, the real bad guys can surely buy Coverity license, they can even write similar tools themselves. So once is something found by Coverity scan it should be considered as public knowledge anyway. Manual review by real people is something very different. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL roadmap
On 3 July 2014 14:13, Theodore Ts'o ty...@mit.edu wrote: However, in the kernel we are much more lax about who gets access to the Coverity project. Part of this is the sure and certain knowledge that the bad guys are quite willing to pay for a Coverity license, and so for us the balance of increasing the pool of those can who are looking through the Coverity scans, and contribute to fix bugs, and thus grow the development community, tips in favor of being more open about who gets access to Coverity. Right, I agree, but clearly there isn't unanimity amongst the dev team. I think we'd be a bit more relaxed if we were actually on top of Coverity, which I would hope would happen soon, now we have full-time developer(s). __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL roadmap
release processes at various distributions. (Given that Microsoft has weekly patch Tuesdays, if even slow moving *Microsoft* can turn around a security update in a week, what's your excuse? :-) They have a regular release train, but it doesn't mean that everything gets fixed in one week. Sorry to stomp your punchline. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL roadmap
On 3 July 2014 15:28, Salz, Rich rs...@akamai.com wrote: release processes at various distributions. (Given that Microsoft has weekly patch Tuesdays, if even slow moving *Microsoft* can turn around a security update in a week, what's your excuse? :-) They have a regular release train, but it doesn't mean that everything gets fixed in one week. Sorry to stomp your punchline. 3 months to a year is more usual. :-) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL roadmap
On Thu, Jul 03, 2014 at 09:13:43AM -0400, Theodore Ts'o wrote: (Given that Microsoft has weekly patch Tuesdays, if even slow moving *Microsoft* can turn around a security update in a week, what's your excuse? :-) As far as I know, patch Tuesday is the 2nd Tuesday of the month. But wikipedia says it's the 2nd and the 4th. In my expierence I normally only get updates the day after the 2nd Tuesday. That of course doesn't mean we shouldn't aim for 1 week. Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL roadmap
However, I feel that the developer group is a bit closed to outsiders. More communication and transparency is coming, as we have a bigger and more invigorated developer team. It will take time. But not everything will always be discussed in public mailing lists right away, parciularly around vulnerabilities. I requested access to the OpenSSL scan results on coverity, and up to now, my request is still pending :-( This could be an example of that. (I don't know, I haven't looked through any reports.) But I hope that you understand why there might be concerns about doing this. Are there other issues or examples that come to mind? /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz :��IϮ��r�m (Z+�7�zZ)���1���x��hW^��^��%�� ��jם.+-1�ځ��j:+v���h�
Re: OpenSSL roadmap
On Wed, Jul 2, 2014 at 9:48 PM, Salz, Rich rs...@akamai.com wrote: However, I feel that the developer group is a bit closed to outsiders. More communication and transparency is coming, as we have a bigger and more invigorated developer team. It will take time. But not everything will always be discussed in public mailing lists right away, parciularly around vulnerabilities. I requested access to the OpenSSL scan results on coverity, and up to now, my request is still pending :-( This could be an example of that. (I don't know, I haven't looked through any reports.) But I hope that you understand why there might be concerns about doing this. I write fixes for pieces of software that I depend on. Some time ago, I sent a diff for OpenSSL. If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity scans ? Other Open Source projects have provided me access to their coverity scans, despite the fact that I'm not a committer. Are there other issues or examples that come to mind? /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL roadmap
I write fixes for pieces of software that I depend on. Some time ago, I sent a diff for OpenSSL. Great, thanks. If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity scans ? Other Open Source projects have provided me access to their coverity scans, despite the fact that I'm not a committer. There are security concerns. For example, the recent heartbleed vulnerability exposed long-term private keys, and user password and all sorts of stuff. This makes OpenSSL software different from something like a packet dump or mail reader. I don't know what the scans say, and I understand your disappointment, but we really need to be careful about making vulnerability scans generally available. And then there is the question of where we draw the line. I am all in favor of responsible disclosure, but unfortunately the bad guys -- who, yes, may already have coverity or other scans -- are interested as well. I wish I could give you a nice answer. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl- d...@openssl.org] On Behalf Of Loganaden Velvindron Sent: Wednesday, July 02, 2014 2:24 PM To: openssl-dev@openssl.org Subject: Re: OpenSSL roadmap On Wed, Jul 2, 2014 at 9:48 PM, Salz, Rich rs...@akamai.com wrote: However, I feel that the developer group is a bit closed to outsiders. More communication and transparency is coming, as we have a bigger and more invigorated developer team. It will take time. But not everything will always be discussed in public mailing lists right away, parciularly around vulnerabilities. I requested access to the OpenSSL scan results on coverity, and up to now, my request is still pending :-( This could be an example of that. (I don't know, I haven't looked through any reports.) But I hope that you understand why there might be concerns about doing this. Are there other issues or examples that come to mind? /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL roadmap
On Wed, Jul 2, 2014 at 11:23 AM, Loganaden Velvindron logana...@gmail.com wrote: If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity scans ? I'm not a committer, and not a core member, but I am fully prepared to answer your question. Because the policy of the project says so. If you show the dedication and commitment to give back to the project and become a committer, that could change. Other Open Source projects have provided me access to their coverity scans, despite the fact that I'm not a committer. That is deeply flawed as an argument, both rhetorically and materially. - M __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL roadmap
I agree. Not all open source projects play a major role in securing much of the worlds e commerce. On Jul 2, 2014 2:52 PM, Michael Sierchio ku...@tenebras.com wrote: On Wed, Jul 2, 2014 at 11:23 AM, Loganaden Velvindron logana...@gmail.com wrote: If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity scans ? I'm not a committer, and not a core member, but I am fully prepared to answer your question. Because the policy of the project says so. If you show the dedication and commitment to give back to the project and become a committer, that could change. Other Open Source projects have provided me access to their coverity scans, despite the fact that I'm not a committer. That is deeply flawed as an argument, both rhetorically and materially. - M __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org