On Tue, Jan 09, 2007 at 06:06:53PM +0100, Florent Daignière (NextGen$) wrote: > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-01-09 17:41:23]: > > > I want to hazard a word because no else does it: how many of such > > problems could be still in the code? > > plenty > > > I think there is no answer to this question. > > You asked how many could be, right ? My answer seems to be appropriate. > > > Maybe toad or someone else (maybe paid from the donations) should do a > > careful code review, at least of the critical security parts. > > We ought to introduce unit tests on the new code we are writing that's > for sure... and it would be great if we were writing one test for every > bug we fix.
There were test vectors run by the original person who found this bug. I personally have checked that outgoing encrypted data is in fact encrypted, or at least, that the second 16 bytes of the ciphertext are not the same as the second 16 bytes of the plaintext (at least for hashes); this is what the bug produced. > > 0.5 is harvestable, we do have evidence that its routing *doesn't* work > as well as it ought to. > 0.5 has been reviewed ? by whom ? Have I already mentionned that this > precise part of the code is mostly borrowed from 0.5 ? > > > Sorry if I cried somebody down, but this is my opinion. I like 0.7, > > its speed and functionality, but don't mislead the customers that > > expect something different. > > > > If you think I'm wrong then please provide a comparison sheet on the > > wiki that compares freenet 0.5 and 0.7 and clearly states why 0.7 is > > more secure, even in the current version. > > No, I am not going to write down a "howto bring 0.5 down" tutorial for > you :) and I wouldn't encourage anyone to do so. > > It's not a direct comparison but it's probably instructive for most > people who will take part to that thread. > http://wiki.freenetproject.org/FreenetZeroPointSevenSecurity > It has been out of here since a while... Of course it doesn't tell > anything about bugs like that one. There are always more bugs. :(
signature.asc
Description: Digital signature
_______________________________________________ Devl mailing list [email protected] http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
