[openssl-users] OpenSSL F2F

[Salz, Rich]

Sorry, we didn't think to put this out earlier...

The OpenSSL dev team is having a face-to-face meeting this week in Berlin, 
co-located with LinuxCon.  If you're in the area, feel free to stop by. In 
particular, on Tuesday from 16:50-17:40 - "Members of the openssl development 
team will be available to help with porting applications to 1.1.0, help guide 
how people can contribute to the project, and be available to discuss other 
technical issues. Downstream distributions and embedded applications developers 
should also stop by to introduce themselves"

If you're not available during that time, but want to chat, please let us know.

/r$

--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Benjamin Kaduk]

On 10/01/2016 03:32 PM, Geoffrey Coram wrote:
> On 09/30/2016 09:29, "Salz, Rich"  wrote:
>>> Is there something more I should do on this issue?  I recall the 
>> OpenSSL terms of use strongly discouraged people from the US from 
>> helping, due to US export restrictions. 
>>
>> That's kinda outdated.
>
> That didn't answer my question.  I reported a bug, I'm not a developer
> / on the developer list; will someone else take this, or is there some
> bug database that I should enter an issue into?

The general question has been answered already.  In this specific case,
the best thing for you to do would be to test
https://github.com/openssl/openssl/pull/1622 , which I submitted after
making the claim that the calloc usage was "just a bug".

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL and sourc'ing countries (was: calloc vs kssl_calloc)

[Jakob Bohm]

On 01/10/2016 23:01, Jeffrey Walton wrote:

Is there something more I should do on this issue?  I recall the OpenSSL
terms of use strongly discouraged people from the US from helping, due to US
export restrictions.

That's kinda outdated.

However there are very many OpenSSL users (myself included)
who rely on the legal status of OpenSSL/SSLeay as having no
US origin parts.  If this has changed, it needs a big red
banner at the top of the www.openssl.org, every affected
source file with the original EAY copyright boilerplate or
its OpenSSL clone etc.

That's kind of interesting. Are you saying there are countries where
you can source and import your crypto from some countries, but not
other countries?

I'm not sure about that either.  Part of my point is that when
*exporting* or *reexporting* products that include OpenSSL code,
the various filings (including DoC/BIS as it happens) tend to
include declarations related to the country of origin of the
cryptographic software.

Therefore (and for other reasons) it is very disconcerting if a
project such as OpenSSL, which is actually famous for its non-US
origin, silently changes its country of origin.


As I understand the US procedures from working with DoC and BIS, you
don't need an import license (only an export license). But I'd be
interested in hearing how some countries are trying to control the
crypto from the import side of the equation.

More humorously, does import versus export even matter? The crypto
genie is out of the bottle. It can't be put back.

Unfortunately, governments tend to disagree, and we can't all
afford to ignore ill-conceived laws.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Jakob Bohm]

On 01/10/2016 23:18, Salz, Rich wrote:

However there are very many OpenSSL users (myself included) who rely on
the legal status of OpenSSL/SSLeay as having no US origin parts.  If this has
changed, it needs a big red banner at the top of the www.openssl.org, every
affected source file with the original EAY copyright boilerplate or its OpenSSL
clone etc.

As of 1.1.0 every single file has modifications by US Citizens because I 
globally changed the copyright.

Really, I thought the US team dealt exclusively with the FIPS
bureaucracy acting as "cutouts" between US government interests
and the non-US developers, never actually touching the code.

We are NOT going to mark US/non-US contributions, sorry.

OpenSSL and SSLeay has always had US contributions, it's just that we were done 
indirectly.  For example, "git show eb64730" which was early 2000.


This fact was *not* published widely enough to be seen by
everyone concerned.  It was certainly not published as widely
as the fact that SSLeay was created and maintained entirely
outside the US, and that this was one of its major attractions.

Basically that internal checkin (which I have no idea what is,
since I only see the released tarballs) or any earlier US code
changes would have been a watershed change.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Salz, Rich]

> This fact was *not* published widely enough to be seen by everyone
> concerned.  It was certainly not published as widely as the fact that SSLeay
> was created and maintained entirely outside the US, and that this was one of
> its major attractions.
> 
> Basically that internal checkin (which I have no idea what is, since I only 
> see
> the released tarballs) or any earlier US code changes would have been a
> watershed change.

Well, I can't go back to 2000 and change things.

You'll have to decide what you want to do now.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users