date:20221116

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-16 Thread Arnaud Loonstra


Before 4pm UTC suits me as well, both days. I prefer the 6th.

Rg,

Arnaud

On 16-11-2022 20:12, Luca Boccassi wrote:

For myself, before 4pm or after 7.30pm (UTC) both days

On Wed, 16 Nov 2022 at 18:47, Amir Montazery > wrote:


Thank you! Many of us are in european timezones as well (I myself am
based in Chicago, USA). Is there a time that works best on Monday,
December 5th or Tuesday, December 6th?

On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi
mailto:luca.bocca...@gmail.com>> wrote:

Sounds great, thank you - most of us are in the european
timezones, let us know when you have a date/time in mind

On Tue, 15 Nov 2022 at 18:02, Amir Montazery mailto:a...@ostif.org>> wrote:

Thank you to everyone who has helped so far! What we can
concretely offer is below under "What you can expect". We
totally understand you maintainers are busy so the process
is designed to be easy for those who participate. We also
have a budget to compensate maintainers who help out
directly (that can go to a nonprofit of the project's choice
as well).

Our first team of security experts is ready to meet the week
of December 5th if you'd like to participate.

p.s The OSTIF team plans to be in Brussels for fosdem so we
hope to see some of you there!

Thank you and let me know who would like to participate.

- Amir


What you can expect

Here are what we’re going to do (and need your help with) in
a nutshell:

  *

We’ll Perform an Initial Assessment

  o

Meet with you to better understand and ask questions
about your package – its architecture, design
choices, known issues, and so on

  o

Install Scorecard
if you
don’t already have it – this evaluates your
environment against a set of SDLC best practices
(see https://securityscorecards.dev/
for more info) –
and identify opportunities to improve low-scoring checks

  o

Perform a quick code review, get your package to
build, check for quality and best practices

  o

Assess whether your package would benefit from
fuzzing and is compatible with our OSS-Fuzz
offering.

  o

Assess whether your package would benefit from SLSA
and/or SBOM

,
 software supply chain integrity (SSCI) technologies (for example, do your users 
commonly build from source or consume binaries that you build?)

  *

If Warranted, We’ll Proceed with an In-Depth Review

  o

Perform an targeted code review on your package to
identify security vulnerabilities or recommended
defense-in-depth fixes

  o

If applicable, integrate your package with the OSS
Fuzz offering and tune it to achieve maximum coverage.

  o

Improve eligible Scorecard check scores

  o

Assist you with deploying SLSA and SBOM

Here’s what we’ll ask you to do:

  *

During the Initial Assessment

  o

Meet with us and our partners in a “kick-off”
meeting where we’ll ask you a number of questions
about your package and how it works to build a
shared threat model and scope the review

  *

During Our In-Depth Review

  o

Assist us with onboarding your package to OSS-Fuzz
if applicable, and you’ll be compensated for doing so

  o

Assist us with improving the Scorecard checks we
recommend, and you’ll be compensated for each

  o

Assist us with implementing SLSA and SBOM, if
applicable, and you’ll be compensated for doing so

  *

After our In-Depth Review

  o

Review the security vulnerabilities we find (if any)
and our recommended defense-in-depth fixes (if any),

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-16 Thread Luca Boccassi

For myself, before 4pm or after 7.30pm (UTC) both days

On Wed, 16 Nov 2022 at 18:47, Amir Montazery  wrote:

> Thank you! Many of us are in european timezones as well (I myself am based
> in Chicago, USA). Is there a time that works best on Monday, December 5th
> or Tuesday, December 6th?
>
> On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi 
> wrote:
>
>> Sounds great, thank you - most of us are in the european timezones, let
>> us know when you have a date/time in mind
>>
>> On Tue, 15 Nov 2022 at 18:02, Amir Montazery  wrote:
>>
>>> Thank you to everyone who has helped so far! What we can concretely
>>> offer is below under "What you can expect". We totally understand you
>>> maintainers are busy so the process is designed to be easy for those who
>>> participate. We also have a budget to compensate maintainers who help out
>>> directly (that can go to a nonprofit of the project's choice as well).
>>>
>>> Our first team of security experts is ready to meet the week of December
>>> 5th if you'd like to participate.
>>>
>>> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
>>> some of you there!
>>>
>>> Thank you and let me know who would like to participate.
>>>
>>> - Amir
>>>
>>>
>>> What you can expect
>>>
>>> Here are what we’re going to do (and need your help with) in a nutshell:
>>>
>>>-
>>>
>>>We’ll Perform an Initial Assessment
>>>-
>>>
>>>   Meet with you to better understand and ask questions about your
>>>   package – its architecture, design choices, known issues, and so on
>>>   -
>>>
>>>   Install Scorecard  if
>>>   you don’t already have it – this evaluates your environment against a 
>>> set
>>>   of SDLC best practices (see https://securityscorecards.dev/ for
>>>   more info) – and identify opportunities to improve low-scoring checks
>>>   -
>>>
>>>   Perform a quick code review, get your package to build, check for
>>>   quality and best practices
>>>   -
>>>
>>>   Assess whether your package would benefit from fuzzing and is
>>>   compatible with our OSS-Fuzz 
>>>   offering.
>>>   -
>>>
>>>   Assess whether your package would benefit from SLSA
>>>    and/or SBOM
>>>   
>>> ,
>>>   software supply chain integrity (SSCI) technologies (for example, do 
>>> your
>>>   users commonly build from source or consume binaries that you build?)
>>>   -
>>>
>>>If Warranted, We’ll Proceed with an In-Depth Review
>>>-
>>>
>>>   Perform an targeted code review on your package to identify
>>>   security vulnerabilities or recommended defense-in-depth fixes
>>>   -
>>>
>>>   If applicable, integrate your package with the OSS Fuzz offering
>>>   and tune it to achieve maximum coverage.
>>>   -
>>>
>>>   Improve eligible Scorecard check scores
>>>   -
>>>
>>>   Assist you with deploying SLSA and SBOM
>>>
>>> Here’s what we’ll ask you to do:
>>>
>>>-
>>>
>>>During the Initial Assessment
>>>-
>>>
>>>   Meet with us and our partners in a “kick-off” meeting where we’ll
>>>   ask you a number of questions about your package and how it works to 
>>> build
>>>   a shared threat model and scope the review
>>>   -
>>>
>>>During Our In-Depth Review
>>>-
>>>
>>>   Assist us with onboarding your package to OSS-Fuzz if applicable,
>>>   and you’ll be compensated for doing so
>>>   -
>>>
>>>   Assist us with improving the Scorecard checks we recommend, and
>>>   you’ll be compensated for each
>>>   -
>>>
>>>   Assist us with implementing SLSA and SBOM, if applicable, and
>>>   you’ll be compensated for doing so
>>>   -
>>>
>>>After our In-Depth Review
>>>-
>>>
>>>   Review the security vulnerabilities we find (if any) and our
>>>   recommended defense-in-depth fixes (if any), and remediate each
>>>   vulnerability within a reasonable timeframe (we’ll work this out with 
>>> you
>>>   when the time comes), and you’ll be compensated for each
>>>   -
>>>
>>>   If applicable, produce a new build that includes all of the
>>>   improvements made during this process
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery  wrote:
>>>
 Awesome! Thank you for that Luca. Apologies for the lag, I was in
 Detroit last week for KubeCon meeting a number of projects we've done
 security engagements with and collecting feedback.

 I hope we can sync soon and discuss opportunities to help out with
 zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
 providing free help to open source projects for almost 8 years now. We
 finally have some resources on our bench to help projects out with their
 security needs. I am

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

2022-11-16 Thread Amir Montazery

Thank you! Many of us are in european timezones as well (I myself am based
in Chicago, USA). Is there a time that works best on Monday, December 5th
or Tuesday, December 6th?

On Tue, Nov 15, 2022 at 5:58 PM Luca Boccassi 
wrote:

> Sounds great, thank you - most of us are in the european timezones, let us
> know when you have a date/time in mind
>
> On Tue, 15 Nov 2022 at 18:02, Amir Montazery  wrote:
>
>> Thank you to everyone who has helped so far! What we can concretely offer
>> is below under "What you can expect". We totally understand you maintainers
>> are busy so the process is designed to be easy for those who participate.
>> We also have a budget to compensate maintainers who help out directly (that
>> can go to a nonprofit of the project's choice as well).
>>
>> Our first team of security experts is ready to meet the week of December
>> 5th if you'd like to participate.
>>
>> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
>> some of you there!
>>
>> Thank you and let me know who would like to participate.
>>
>> - Amir
>>
>>
>> What you can expect
>>
>> Here are what we’re going to do (and need your help with) in a nutshell:
>>
>>-
>>
>>We’ll Perform an Initial Assessment
>>-
>>
>>   Meet with you to better understand and ask questions about your
>>   package – its architecture, design choices, known issues, and so on
>>   -
>>
>>   Install Scorecard  if
>>   you don’t already have it – this evaluates your environment against a 
>> set
>>   of SDLC best practices (see https://securityscorecards.dev/ for
>>   more info) – and identify opportunities to improve low-scoring checks
>>   -
>>
>>   Perform a quick code review, get your package to build, check for
>>   quality and best practices
>>   -
>>
>>   Assess whether your package would benefit from fuzzing and is
>>   compatible with our OSS-Fuzz 
>>   offering.
>>   -
>>
>>   Assess whether your package would benefit from SLSA
>>    and/or SBOM
>>   
>> ,
>>   software supply chain integrity (SSCI) technologies (for example, do 
>> your
>>   users commonly build from source or consume binaries that you build?)
>>   -
>>
>>If Warranted, We’ll Proceed with an In-Depth Review
>>-
>>
>>   Perform an targeted code review on your package to identify
>>   security vulnerabilities or recommended defense-in-depth fixes
>>   -
>>
>>   If applicable, integrate your package with the OSS Fuzz offering
>>   and tune it to achieve maximum coverage.
>>   -
>>
>>   Improve eligible Scorecard check scores
>>   -
>>
>>   Assist you with deploying SLSA and SBOM
>>
>> Here’s what we’ll ask you to do:
>>
>>-
>>
>>During the Initial Assessment
>>-
>>
>>   Meet with us and our partners in a “kick-off” meeting where we’ll
>>   ask you a number of questions about your package and how it works to 
>> build
>>   a shared threat model and scope the review
>>   -
>>
>>During Our In-Depth Review
>>-
>>
>>   Assist us with onboarding your package to OSS-Fuzz if applicable,
>>   and you’ll be compensated for doing so
>>   -
>>
>>   Assist us with improving the Scorecard checks we recommend, and
>>   you’ll be compensated for each
>>   -
>>
>>   Assist us with implementing SLSA and SBOM, if applicable, and
>>   you’ll be compensated for doing so
>>   -
>>
>>After our In-Depth Review
>>-
>>
>>   Review the security vulnerabilities we find (if any) and our
>>   recommended defense-in-depth fixes (if any), and remediate each
>>   vulnerability within a reasonable timeframe (we’ll work this out with 
>> you
>>   when the time comes), and you’ll be compensated for each
>>   -
>>
>>   If applicable, produce a new build that includes all of the
>>   improvements made during this process
>>
>>
>>
>>
>>
>>
>> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery  wrote:
>>
>>> Awesome! Thank you for that Luca. Apologies for the lag, I was in
>>> Detroit last week for KubeCon meeting a number of projects we've done
>>> security engagements with and collecting feedback.
>>>
>>> I hope we can sync soon and discuss opportunities to help out with
>>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
>>> providing free help to open source projects for almost 8 years now. We
>>> finally have some resources on our bench to help projects out with their
>>> security needs. I am finalizing what exactly that would look like in the
>>> next week!
>>>
>>> I'll have updates and resources for you soon. In the meantime feel free
>>> to reach out with any questions or feedback.
>>>
>>> Thank you,
>>> Amir
>>>
>>> On Wed, Oct 19, 2022 at 1:39 PM

Re: [zeromq-dev] Adding new zmq_getsockopt() to retrieve number of subscriptions from XPUB socket

2022-11-16 Thread Bill Torpey

Hi Francesco:

Just to be clear, I’m not a maintainer, just an interested party.  (At my day 
job I created https://github.com/nyfix/OZ  which 
powers 
https://www.broadridge.com/financial-services/capital-markets/trading-and-connectivity/order-routing-network
 
).
  I believe that Luca is currently the main person responsible for the repo.

As for your proposed PR, anything that provides more visibility to what is 
going on “under the hood” with ZeroMQ is A Good Thing, I think.  

Regards,

Bill

> On Nov 16, 2022, at 6:54 AM, Francesco  wrote:
> 
> Hi Bill,
> ok thanks, sure. I can prepare such PR... I just wanted to get a
> feedback from other maintainers... I think PRs are mostly reviewed and
> merged by Luca at this point right?
> 
> Luca,
> what do you think about my proposal of new getsockopt to get number of
> actual subscriptions?
> Example usage:
> 
> /* Retrieve number of subscriptions */
> int subscriptions;
> size_t subscriptions_size = sizeof (subscriptions);
> rc = zmq_getsockopt (socket, ZMQ_SUBSCRIPTION_COUNT, ,
> _size );
> 
> // NOTE: ZMQ_SUBSCRIPTION_COUNT would be applicable only to XPUB, PUB,
> XSUB, SUB socket types
> 
> 
> Thanks,
> Francesco
> 
> 
> PS: I think it would be nice to have visibility about subscriptions
> added/removed also on the socket monitor... but that's a lot of more
> detailed information... I think the basic use case is just to get the
> whole number of subscriptions (for debugging you often know how many
> subscriptions were sent and it's useful to check if any subscription
> has been dropped for some reason)
> 
> 
> 
> Il giorno mer 16 nov 2022 alle ore 01:32 Bill Torpey
>  ha scritto:
>> 
>> Sorry Francesco — I meant your PR, I just mixed up the names.
>> 
>> B.
>> 
>>> On Nov 15, 2022, at 5:01 PM, Francesco  wrote:
>>> 
>>> Hi Bill,
>>> 
 Arnaud’s PR sounds useful — more visibility can only be a good thing.
>>> 
>>> sorry I'm missing which PR you are talking about... is there an
>>> existing PR to add more visibility (I'd love that)? Or you're
>>> referring to the proposal I did in my first mail?
>>> 
>>> thanks,
>>> Francesco
>>> 
>>> Il giorno mar 15 nov 2022 alle ore 22:58 Bill Torpey
>>>  ha scritto:
 
 The problem with all the socket monitor stuff is that it’s async — that 
 makes it dangerous to act on.  It’s great for monitoring/debugging -- for 
 real-time control not so much.
 
 Arnaud’s PR sounds useful — more visibility can only be a good thing.
 
 Bill
 
> On Nov 15, 2022, at 10:43 AM, Arnaud Loonstra  wrote:
> 
> On 15-11-2022 15:57, Francesco wrote:
>> Hi zeromq team,
>> For "observability" / debugging I think it would be really really
>> useful to be able to retrieve the number of subscriptions recorded by
>> the 'mtrie_t' object inside a (X)PUB socket.
>> Would you accept a PR adding such option?
>> Thanks,
>> Francesco
> 
> Isn't that possible through the socket monitor?
> 
> http://api.zeromq.org/4-1:zmq-socket-monitor
> 
> Rg,
> 
> Arnaud
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
 
 ___
 zeromq-dev mailing list
 zeromq-dev@lists.zeromq.org
 https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>> ___
>>> zeromq-dev mailing list
>>> zeromq-dev@lists.zeromq.org
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> 
>> ___
>> zeromq-dev mailing list
>> zeromq-dev@lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev

___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Adding new zmq_getsockopt() to retrieve number of subscriptions from XPUB socket

2022-11-16 Thread Francesco

Hi Bill,
ok thanks, sure. I can prepare such PR... I just wanted to get a
feedback from other maintainers... I think PRs are mostly reviewed and
merged by Luca at this point right?

Luca,
what do you think about my proposal of new getsockopt to get number of
actual subscriptions?
Example usage:

/* Retrieve number of subscriptions */
int subscriptions;
size_t subscriptions_size = sizeof (subscriptions);
rc = zmq_getsockopt (socket, ZMQ_SUBSCRIPTION_COUNT, ,
_size );

// NOTE: ZMQ_SUBSCRIPTION_COUNT would be applicable only to XPUB, PUB,
XSUB, SUB socket types


Thanks,
Francesco


PS: I think it would be nice to have visibility about subscriptions
added/removed also on the socket monitor... but that's a lot of more
detailed information... I think the basic use case is just to get the
whole number of subscriptions (for debugging you often know how many
subscriptions were sent and it's useful to check if any subscription
has been dropped for some reason)



Il giorno mer 16 nov 2022 alle ore 01:32 Bill Torpey
 ha scritto:
>
> Sorry Francesco — I meant your PR, I just mixed up the names.
>
> B.
>
> > On Nov 15, 2022, at 5:01 PM, Francesco  wrote:
> >
> > Hi Bill,
> >
> >> Arnaud’s PR sounds useful — more visibility can only be a good thing.
> >
> > sorry I'm missing which PR you are talking about... is there an
> > existing PR to add more visibility (I'd love that)? Or you're
> > referring to the proposal I did in my first mail?
> >
> > thanks,
> > Francesco
> >
> > Il giorno mar 15 nov 2022 alle ore 22:58 Bill Torpey
> >  ha scritto:
> >>
> >> The problem with all the socket monitor stuff is that it’s async — that 
> >> makes it dangerous to act on.  It’s great for monitoring/debugging -- for 
> >> real-time control not so much.
> >>
> >> Arnaud’s PR sounds useful — more visibility can only be a good thing.
> >>
> >> Bill
> >>
> >>> On Nov 15, 2022, at 10:43 AM, Arnaud Loonstra  wrote:
> >>>
> >>> On 15-11-2022 15:57, Francesco wrote:
>  Hi zeromq team,
>  For "observability" / debugging I think it would be really really
>  useful to be able to retrieve the number of subscriptions recorded by
>  the 'mtrie_t' object inside a (X)PUB socket.
>  Would you accept a PR adding such option?
>  Thanks,
>  Francesco
> >>>
> >>> Isn't that possible through the socket monitor?
> >>>
> >>> http://api.zeromq.org/4-1:zmq-socket-monitor
> >>>
> >>> Rg,
> >>>
> >>> Arnaud
> >>> ___
> >>> zeromq-dev mailing list
> >>> zeromq-dev@lists.zeromq.org
> >>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >>
> >> ___
> >> zeromq-dev mailing list
> >> zeromq-dev@lists.zeromq.org
> >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > ___
> > zeromq-dev mailing list
> > zeromq-dev@lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc

Re: [zeromq-dev] Adding new zmq_getsockopt() to retrieve number of subscriptions from XPUB socket

Re: [zeromq-dev] Adding new zmq_getsockopt() to retrieve number of subscriptions from XPUB socket

5 matches

Site Navigation

Mail list logo

Footer information