On Monday, August 31, 2015 at 5:35:46 PM UTC-4, jean-pierre.muench wrote: > > Am 31.08.2015 um 23:12 schrieb Jeffrey Walton: > > Hi Everyone, > > Here's an update on Crypto++ 5.6.3 and 5.7/6.0. > > It's (finally) happening :) >
Oh man... I did not realize how much work release engineering was/is; and how much effort Wei had to put into it. Crypto++ 5.6.3 is a minimal set of changes which attempts to honor > versioning requirements. The versioning requirements are tricky because > some of the Sanitizer and Valgrind findings that have been remediated break > versioning. I'm beginning to think we are going to have to pick a poison... > > Our requirements are: Don't break anything, eliminate as much potentially > bad code as possible and make sure it runs better everywhere. Am I seeing > this right? > Yeah, from 10,000 feet, that's about right. > Crypto++ 5.7/6.0 is a more complete set of changes. Its not clear what the > version number will be because we have to take it modulo versioning > requirements. Because 5.7 changes some publicly exported symbols, I believe > that effectively means it needs to be 6.0 (even though it is, at its > essence, a 5.7). > > The major version bump of Crypto++ 5.7/6.0 should probably include the > KeyDerivationParameters to avoid an immediate 7.0 bump. At the moment, it > does not. > > It definitely should. I'd also like to request a RNG interface > reconsideration to enable full compatibility with the NIST DRBGs and > Fortuna. Furthermore I think we need to design / derive a > TweakableBlockTransformation class for Threefish for 6.0. This would allow > us to push Skein, Threefish and Fortuna to 6.1. > I *think* we need a world-writable page somewhere to keep track of these things. How does the wiki sound? > Looking to the future, once we get Crypto++ 6.0 + KeyDerivationParameters > in place, we should be OK with minor bumps since its consistent with > versioning requirements. For example, we can add the NIST DRBG from > SP800-108, and then change the version to 6.1. Crypto++ 6.1 is fine because > its compatible with 6.0 clients, and only adds new features. > > Am I reading this right that a third minor version increase (-> 5.6.3) > means we only apply security fixes. > A minor version increase allows us to add new features but forces us to > keep full compatibility? > A major version increase allows us to break old things? > Yeah, so this is a grey/muddy area. We can say, "we will do X, Y and Z". That may be fine on Linux, but it might run afoul on Apple. What we are really trying to do is use a versioning scheme that is effectively the most restrictive with respect to operations and their intersection on Major-Minor-Revision. That means we will honor most platform's requirements. As an example, here is Apple's official docs on versioning: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/DynamicLibraryDesignGuidelines.html. Crypto++ 5.6.3 and 5.7/6.0 are testing OK on the major platforms. They are > undergoing tests on the lesser platforms and compilers, like ARM, MIPS or > OS X 10.5 with GCC 4.0. I know there's an outstanding issue on ARMEL at the > moment. > > Do we have a 5.6.3 and a 5.7/6.0 branch on GitHub for pre-rc testing? Did > we actually test our code on any Big-Endian platform? > No, nothing tagged in Git. Related: https://github.com/weidai11/cryptopp/issues/18. We do have testing on a Big Endian machine. One of them is an Apple G5/OS X 10.5 PowerPC. The machine only exists for PowerPC testing and GCC 4.0.1 testing. Folks from OpenSSL and Cryptlib projects have access for similar testing. If you (or anyone else) wants access, then send over your SSH-{RSA|ECDSA|ed25519} key. The improved Download area of the website should facilitate retention > requirements. > > I did not plan on being fancy :) Our requirements are simple: (1) users need a way to identify and download "current" (say 5.6.2 or 5.7), and (2) users need a way to identify and download "past" (like 4.0, 5.0, 5.1, or 5.6.1). To avoid confusion, "current" goes on the Home page and Download page; while "past" goes on the Download page only. Let me get something whipped up at https://www.cryptopp.com/index2.html so you can make concrete suggestions. Jeff -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
