Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 01, 2014 at 11:54:28AM -0500, I wrote: ^^ On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: On 25/03/14 07:03 PM, sven falempin wrote: my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used openssl something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. April Fools! ;) I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Wed, Apr 9, 2014 at 6:24 AM, /dev/rob0 r...@gmx.co.uk wrote: On Tue, Apr 01, 2014 at 11:54:28AM -0500, I wrote: ^^ On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: On 25/03/14 07:03 PM, sven falempin wrote: my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used openssl something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. April Fools! ;) My heart bleeds for the openssl folk and openssl derived application users right now. More investment into creating, maintaining and improving core crypto libraries is desperately needed to hold our civilization together. I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
Simon, Don't underestimate the contribution of all the people who take responsibility for the software that runs as root, or exposed to the net, on your machines. It's something I have nightmares about. I do hope that is not true and that you sleep well. So much better to be rested and clear headed when coding :-) Olaf ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: On 25/03/14 07:03 PM, sven falempin wrote: my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 1, 2014 at 9:54 AM, /dev/rob0 r...@gmx.co.uk wrote: On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: On 25/03/14 07:03 PM, sven falempin wrote: my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. I have not been tracking this conversation closely, but my own take on matters is that I'm opposed to a monoculture of anything... http://www.abc.net.au/news/2013-08-29/feature-banana/4922208 And thus I enthusiastically support other OSes than linux, other dns servers besides bind, and other crypto libraries besides openssl. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 01/04/14 1:45 PM, Dave Taht wrote: On Tue, Apr 1, 2014 at 9:54 AM, /dev/rob0 r...@gmx.co.uk wrote: On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: On 25/03/14 07:03 PM, sven falempin wrote: my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. I have not been tracking this conversation closely, but my own take on matters is that I'm opposed to a monoculture of anything... http://www.abc.net.au/news/2013-08-29/feature-banana/4922208 And thus I enthusiastically support other OSes than linux, other dns servers besides bind, and other crypto libraries besides openssl. I have no problem with not having a monoculture. But provide an option to support more than one crypto library. Don't assume what is good for OpenWRT and other embedded OS's is good for everyone else. That's making a really poor assumption. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 1, 2014 at 12:54 PM, /dev/rob0 r...@gmx.co.uk wrote: a I can't speak to an actual code audit, but nettle isn't some third-rate clone. It's a mature, actively developed and (importantly) thoroughly documented project. If I were to undertake such an audit however, I would surely prefer to have to audit nettle rather than OpenSSL, as unlike the latter, nettle's code is quite readable and even easy on the eyes. Not to mention that there's much less code to begin with, as the library simply doesn't try to do everything OpenSSL does. From their introduction[1]: Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a *simple* but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O. Maybe OpenSSL is the right choice anyway, I don't know. But, I thought someone should speak up for nettle :) -nd. [1] - http://www.lysator.liu.se/~nisse/nettle/nettle.html#Introduction ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
With such superior understanding, shouldn't you be adding OpenSSL support to dnsmasq yourself? That way you can deal with their byzantine API and the resulting bugs, and Simon can instead do something actually worthwhile. On Tue, Apr 1, 2014 at 2:07 PM, Brad Smith b...@comstyle.com wrote: On 01/04/14 2:02 PM, Nathan Dorfman wrote: Maybe OpenSSL is the right choice anyway, I don't know. But, I thought someone should speak up for nettle :) speaking up for nettle means nothing when you don't understand the issue at hand. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 01, 2014 at 10:45:44AM -0700, Dave Taht wrote: And thus I enthusiastically support other OSes than linux, other dns servers besides bind, and other crypto libraries besides openssl. One named to rule them all One named to find them One named to bring them all And in the darkness BIND them. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 01/04/14 19:14, Nathan Dorfman wrote: With such superior understanding, shouldn't you be adding OpenSSL support to dnsmasq yourself? That way you can deal with their byzantine API and the resulting bugs, and Simon can instead do something actually worthwhile. But don't do that before the licensing issue has been resolved. The motive for moving from openSSL to (not openSSL) was largely about incompatible licenses. Delving into the git repo and finding the openSSL adapter code is the least of the problems. ... and if anyone is volunteering to do a code audit, can I ask they consider auditing the dnsmasq DNSSEC code, which is orders of magnitude less mature than either openSSL _or_ Nettle? Let's get our priorities right here. Simon. On Tue, Apr 1, 2014 at 2:07 PM, Brad Smith b...@comstyle.com wrote: On 01/04/14 2:02 PM, Nathan Dorfman wrote: Maybe OpenSSL is the right choice anyway, I don't know. But, I thought someone should speak up for nettle :) speaking up for nettle means nothing when you don't understand the issue at hand. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
I happen to be in a similar position as Lonnie. Since we use packages that use OpenSSL (Apache, OpenVPN, wget, Perl SSLeay), we already ship the openssl libraries and not nettle. Sorry, forgot to list sshd. Olaf ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/03/14 14:43, Alex Xu wrote: I'm writing the Gentoo ebuild for dnsmasq 2.69rc1 (https://bugs.gentoo.org/show_bug.cgi?id=504154), and I was wondering if dnsmasq requires nettle and gmp, or actually nettle[gmp]. The latter builds nettle with --enable-public-key. Probably the latter. Nettle yields two libraries, libnettle and libhogweed. Libnettle has the symetric cyphers and hashes, and doesn't depend on libgmp. Libhogweed has the public-key cyphers and does depend on gmp. It sounds like nettle[gmp] is the libnettle and libhogweed version. dnsmasq needs both libnettle and libhogweed, and therefore also libgmp. Cheers, Simon. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMx8XQACgkQKPyGmiibgreiJQCfT0Mv5xogk7rnGC6go9UXUMYY d+wAnRTuKBI3O8jUb2hezEcaOaZ3YPPA =Jldh -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote: On 25/03/14 21:25, Lonnie Abelbeck wrote: Is the decision to not support OpenSSL shared libraries a final decision, or is there a chance you may reconsider ? The very early DNSSEC code used openSSL, so it's possible. The reason for the change (in no particular order) was 1) the API is much nicer. 2) licensing considerations. I evaluated several possible libraries before choosing Nettle. One of the worries was bloat, especially in openWRT and similar router distributions. The conclusion was that those typically don't include openSSL anyway, they use things like dropbear, which has it's own crypto. Note that whilst the a full shared installation of nettle and gmp is large, the dnsmasq build system allows static linking, which means that you get the small portion of the libraries which is needed by dnsmasq, not the whole thing. When I last checked, dnsmasq compiled with DNSSEC support and statically linked against Nettle and stripped was 200k or so. That needs no extra disk space for crypto libraries at all. 200k + libc gives you everything. Conclusions from this: 1) It would be possible to use openSSL instead of Nettle. 2) To do so, you'd have to convince me (and other copyright holders) to add an openSSL exception to the dnsmasq license. I have a built-in bias for GPL-licensed software. 3) There are no real resource arguments for using openSSL instead of Nettle. Do you want openSSL instead of Nettle? If so, why? Cheers, Simon. I would prefer OpenSSL support. As a developer for a cross-compiled x86 open source project (AstLinux) building and maintaining additional libraries (particularly crypto) is not ideal when so many packages already require OpenSSL. We also try to keep the bloat out as much as possible, our compressed images are around 40 MB in size. Your excellent dnsmasq is one of our core packages, it would be our preference if it also supported the time tested OpenSSL shared libraries. Obviously using Nettle is not a deal breaker, but I think OpenSSL vs. Nettle is a good discussion to have. Thanks, Lonnie ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
