Is there a repo for the latest LibreSSL portable?
Hi, I really appreciate the work you're doing on LibreSSL, and donated immediately when it was announced. As a FreeBSD user I reluctantly programme with OpenSSL every day for my job, and I'm delighted something's finally being done. Maybe this is a silly question - but where is the code for the portable version checked in? I think I understand the development model from working with OpenSSH dev, but surely the portable compat files must be kept in version control somewhere though, as well as in the tarball releases. I'd like to contribute to LibreSSL but do I have to install and develop on OpenBSD just to run the latest trunk code? One thing I'd be interested in merging from OpenSSL 1.0.2-beta is support for RSA PSS signatures with SHA-256 (which the 1.0.1 API surprisingly doesn't expose). Is there a bug tracker for LibreSSL yet, or is this list the place to ask if that's currently being worked on? All the best, Nick Wilson
Re: Is there a repo for the latest LibreSSL portable?
On 10 August 2014 11:53, Adam Wolk adam.w...@koparo.com wrote: According to http://www.libressl.org/: We have a github repository clone as libressl-portable[1] on github for the curious. This is a copy of the working respositories which are not maintained on github. I read that -- but it sounds like the github repo isn't the official version of the sources. When I checked earlier in the week, it definitely wasn't up to date with the CVS source. For the core libcrypto and libssl source, the official sources are from OpenBSD CVS, but what about the portable bits? Is github then the official repository for the latest versions those files? Certainly from my point of view it would make things simpler if LibreSSL were run more like a normal project on github or bitbucket, with one portable trunk and a script that OpenBSD can use to *remove* the compat source when they do a sync. Is the intention that LibreSSL core development will be mostly done by the OpenBSD community, or is it hoped that it will attract more contributions from outside? Making it clearer to run trunk on Linux and Mac might help. I guess I need to get coding and do something useful for LibreSSL before suggesting changes to the project though! Thanks, Nick
Re: Is there a repo for the latest LibreSSL portable?
Hi Ingo, On 10 August 2014 15:54, Ingo Schwarze schwa...@usta.de wrote: Portability goo clutters code and reduces readability, and hence endangers correctness and security ... Making a portable version is *impossible* without some clutter (even though the portability goo in OpenBSD sub-projects is often less heavy than the clutter you find in some other project's master repos). I understand the reasoning, but for LibreSSL it seems a shame since the portable goo is so minimal. Unlike OpenSSH, which has by necessity tons of hooks for platform behaviour, the only changes so far in LibreSSL portable are adding an implementation of OpenBSD functions like getentropy(), and some headers. Having those platform implementations sitting there in a compat directory doesn't make it harder to audit the code, does it? Oh well! The project will work it out if it becomes a common problem. My main question is still unanswered, namely what the ideas are for the API exposing the RSA PSS/OAEP MGF1 hash. Should I send in a patch porting over the OpenSSL 1.0.2 API for it? Better, I'd ideally like to split out libcrypto into more modular components so that LibreSSL can be used without all the horrific layers of goo (ECDH_METHOD structure and other useless clutter!). The OpenSSL API goo can remain as a way to access the underlying crypto functions, but the internal API should be cleaner. I'd be interested in making those changes for the RSA and EC code. Nick
