Is there a repo for the latest LibreSSL portable?
Hi, I really appreciate the work you're doing on LibreSSL, and donated immediately when it was announced. As a FreeBSD user I reluctantly programme with OpenSSL every day for my job, and I'm delighted something's finally being done. Maybe this is a silly question - but where is the code for the portable version checked in? I think I understand the development model from working with OpenSSH dev, but surely the portable compat files must be kept in version control somewhere though, as well as in the tarball releases. I'd like to contribute to LibreSSL but do I have to install and develop on OpenBSD just to run the latest trunk code? One thing I'd be interested in merging from OpenSSL 1.0.2-beta is support for RSA PSS signatures with SHA-256 (which the 1.0.1 API surprisingly doesn't expose). Is there a bug tracker for LibreSSL yet, or is this list the place to ask if that's currently being worked on? All the best, Nick Wilson
Re: Is there a repo for the latest LibreSSL portable?
Hi, On Sun, Aug 10, 2014, at 12:38 PM, Nicholas Wilson wrote: Maybe this is a silly question - but where is the code for the portable version checked in? I think I understand the development model from working with OpenSSH dev, but surely the portable compat files must be kept in version control somewhere though, as well as in the tarball releases. I'd like to contribute to LibreSSL but do I have to install and develop on OpenBSD just to run the latest trunk code? According to http://www.libressl.org/: We have a github repository clone as libressl-portable[1] on github for the curious. This is a copy of the working respositories which are not maintained on github. [1] https://github.com/libressl-portable/ I guess you can work on the portable github mirror and submit patches to the list if you don't want to work with cvs directly. Worth to also note the readme on the github repo: Development is done in the upstream OpenBSD codebase. A github clone of the official repositories is kept at: https://github.com/libressl-portable We update this repository from the OpenBSD respositories semi-frequently, so changes may not show up in GitHub immediately. The GitHub repository should be used for informational purposes only. Regards, -- Adam Wolk adam.w...@koparo.com
Re: Is there a repo for the latest LibreSSL portable?
On 10 August 2014 11:53, Adam Wolk adam.w...@koparo.com wrote: According to http://www.libressl.org/: We have a github repository clone as libressl-portable[1] on github for the curious. This is a copy of the working respositories which are not maintained on github. I read that -- but it sounds like the github repo isn't the official version of the sources. When I checked earlier in the week, it definitely wasn't up to date with the CVS source. For the core libcrypto and libssl source, the official sources are from OpenBSD CVS, but what about the portable bits? Is github then the official repository for the latest versions those files? Certainly from my point of view it would make things simpler if LibreSSL were run more like a normal project on github or bitbucket, with one portable trunk and a script that OpenBSD can use to *remove* the compat source when they do a sync. Is the intention that LibreSSL core development will be mostly done by the OpenBSD community, or is it hoped that it will attract more contributions from outside? Making it clearer to run trunk on Linux and Mac might help. I guess I need to get coding and do something useful for LibreSSL before suggesting changes to the project though! Thanks, Nick
Re: Is there a repo for the latest LibreSSL portable?
Hi Nick, i'm not speaking for LibreSSL, but about OpenBSD subprojects in general; i'm running src/usr.bin/mandoc (portable version: mdocml.bsd.lv). Nicholas Wilson wrote on Sun, Aug 10, 2014 at 02:05:16PM +0100: Certainly from my point of view it would make things simpler if LibreSSL were run more like a normal project on github or bitbucket, with one portable trunk and a script that OpenBSD can use to *remove* the compat source when they do a sync. I'm bold enough to say that is not going to happen. Safe development practices are paramount to OpenBSD sub-projects. In particular, the master version of the code must be clean and concise in order to make it easy to spot bugs. The master version must never contain portability goo (it does use portable interfaces though where those ones are the best ones available). Portability goo clutters code and reduces readability, and hence endangers correctness and security. That's not going to happen for code used in OpenBSD itself, that will remain restricted to the portable versions. Looked at from the wrong perspective, that may look like we wanted to make OpenBSD good and everyone else suffer. But that's not the point. Making a portable version is *impossible* without some clutter (even though the portability goo in OpenBSD sub-projects is often less heavy than the clutter you find in some other project's master repos). So the goo in *-portable is unavoidable, not chicane. The OpenBSD-only version *can* be better, and that's why we make it better. To actually be better, it must be the master version, not something derived from portable. Is the intention that LibreSSL core development will be mostly done by the OpenBSD community, or is it hoped that it will attract more contributions from outside? OpenBSD sub-projects gladly accept outside contributions based on their respective merit. For the contributor sending a patch every odd month, it doesn't really matter which repo they sync with and whether that repo lags by a day or two. For the prolific contributor, solutions will be found in due time; there is a risk of becoming a developer, for example. Yours, Ingo
Re: Is there a repo for the latest LibreSSL portable?
Hi Ingo, On 10 August 2014 15:54, Ingo Schwarze schwa...@usta.de wrote: Portability goo clutters code and reduces readability, and hence endangers correctness and security ... Making a portable version is *impossible* without some clutter (even though the portability goo in OpenBSD sub-projects is often less heavy than the clutter you find in some other project's master repos). I understand the reasoning, but for LibreSSL it seems a shame since the portable goo is so minimal. Unlike OpenSSH, which has by necessity tons of hooks for platform behaviour, the only changes so far in LibreSSL portable are adding an implementation of OpenBSD functions like getentropy(), and some headers. Having those platform implementations sitting there in a compat directory doesn't make it harder to audit the code, does it? Oh well! The project will work it out if it becomes a common problem. My main question is still unanswered, namely what the ideas are for the API exposing the RSA PSS/OAEP MGF1 hash. Should I send in a patch porting over the OpenSSL 1.0.2 API for it? Better, I'd ideally like to split out libcrypto into more modular components so that LibreSSL can be used without all the horrific layers of goo (ECDH_METHOD structure and other useless clutter!). The OpenSSL API goo can remain as a way to access the underlying crypto functions, but the internal API should be cleaner. I'd be interested in making those changes for the RSA and EC code. Nick
Re: Is there a repo for the latest LibreSSL portable?
On Sun, Aug 10, 2014 at 11:38, Nicholas Wilson wrote: Maybe this is a silly question - but where is the code for the portable version checked in? I think I understand the development model from working with OpenSSH dev, but surely the portable compat files must be kept in version control somewhere though, as well as in the tarball releases. I'd like to contribute to LibreSSL but do I have to install and develop on OpenBSD just to run the latest trunk code? I think you've got the answer, but the OpenBSD cvs tree is the official source for feature development. That said, since the portable layer is so small and abstracted, patches against portable releases will almost certainly apply against the cvs tree. I think the important thing is first making a patch against any libressl tree. Reviewing/applying/rediffing the patch can always be done after that. Contribute first, ask how to contribute later. :) One thing I'd be interested in merging from OpenSSL 1.0.2-beta is support for RSA PSS signatures with SHA-256 (which the 1.0.1 API surprisingly doesn't expose). Is there a bug tracker for LibreSSL yet, or is this list the place to ask if that's currently being worked on? For feature development, this list. The github tracker is probably best used only for portable issues.
Re: Is there a repo for the latest LibreSSL portable?
On Mon, 11 Aug 2014, Nicholas Wilson wrote: Hi Ingo, On 10 August 2014 15:54, Ingo Schwarze schwa...@usta.de wrote: Portability goo clutters code and reduces readability, and hence endangers correctness and security ... Making a portable version is *impossible* without some clutter (even though the portability goo in OpenBSD sub-projects is often less heavy than the clutter you find in some other project's master repos). I understand the reasoning, but for LibreSSL it seems a shame since the portable goo is so minimal. Unlike OpenSSH, which has by necessity tons of hooks for platform behaviour, the only changes so far in LibreSSL portable are adding an implementation of OpenBSD functions like getentropy(), and some headers. Having those platform implementations sitting there in a compat directory doesn't make it harder to audit the code, does it? Oh well! The project will work it out if it becomes a common problem. My main question is still unanswered, namely what the ideas are for the API exposing the RSA PSS/OAEP MGF1 hash. Should I send in a patch porting over the OpenSSL 1.0.2 API for it? Which API are you referring to? You are certainly welcome to send a diff - I cannot guarantee that it will be committed, however we would certainly review and consider it. Better, I'd ideally like to split out libcrypto into more modular components so that LibreSSL can be used without all the horrific layers of goo (ECDH_METHOD structure and other useless clutter!). The OpenSSL API goo can remain as a way to access the underlying crypto functions, but the internal API should be cleaner. I'd be interested in making those changes for the RSA and EC code. At this stage our primary approach is to maintain API compatiability (as far as possible) with OpenSSL. That said, I have been pondering an easy to use and robust interface for ed25519. If you came up with an API that was consistent/clean and worked for both ed25519 and RSA-PSS, then I'd certainly be interested. That said, we would probably look at providing the OpenSSL API as a wrapper around the cleaner API. -- Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely. - Bruce Schneier
