I've seen this movie before.
Nicolas Mora via libssh2-devel wrote:
> Apart from that, I think the argument "All the other distros are
> doing that, so why not us?" is not relevant.
You underestimate the distribution groupthink. Major distributions
will follow each other every time.
> If there i
No.
On Fri, 14 Jan 2022, 3:32 pm Bill Segall, wrote:
> I'm not sure if this would be enough for you but would an anonymous
> remailer or gist service reached via the tor network provide you with
> sufficient safety?
>
> Bill.
>
>
> On Fri, 14 Jan 2022 at 13:29, Red M via libssh2-devel <
> libssh
I'm not sure if this would be enough for you but would an anonymous
remailer or gist service reached via the tor network provide you with
sufficient safety?
Bill.
On Fri, 14 Jan 2022 at 13:29, Red M via libssh2-devel <
libssh2-devel@lists.haxx.se> wrote:
> Re: performance
> In my testing libssh
Re: performance
In my testing libssh is 20-25% slower than libssh2. I can publish more
about this figure soon but not only is it slower, it consumes more cycles
to get the same job done.
Another thing to note is that libssh does not fully implement
async/nonblocking IO for SCP and SFTP, making it
Yes, we use SecureZeroMemory() and memset_s().
Will
> On Jan 5, 2022, at 7:05 AM, Andreas Schneider wrote:
>
> On Tuesday, January 4, 2022 6:05:05 PM CET Will Cosgrove via libssh2-devel
> wrote:
>> We do zero some sensitive data, but could be reviewed for completeness.
>
> I don't know how yo
On Tuesday, January 4, 2022 6:05:05 PM CET Will Cosgrove via libssh2-devel
wrote:
> We do zero some sensitive data, but could be reviewed for completeness.
I don't know how you exactly zero sensitive data, but be aware that if you do:
memset()
free()
The optimizer will optimize away the memset(
We do zero some sensitive data, but could be reviewed for completeness.
Cheers,
Will
> On Jan 2, 2022, at 1:33 PM, Daniel Stenberg via libssh2-devel
> wrote:
>
> On Sun, 2 Jan 2022, Andreas Schneider wrote:
>
>> FIPS 140-2: 4.7.6 Key Zeroization
>
> The cryptographic module must do this, ye
On Sun, 2 Jan 2022, Andreas Schneider wrote:
FIPS 140-2: 4.7.6 Key Zeroization
The cryptographic module must do this, yes (apparently also according to 140-3
which is the current FIPS version). It just confuses me, since libssh2 isn't a
crypto module. Clearly there are details here I'm not e
On Sunday, 2 January 2022 22:05:14 CET Daniel Stenberg wrote:
> On Sun, 2 Jan 2022, Andreas Schneider wrote:
> > I was just trying to help. Better read it yourself
>
> Thanks. I read this as you either don't know or don't want to help. Thanks
> anyway for the answers you provided.
FIPS 140-2: 4.7
On Sun, 2 Jan 2022, Andreas Schneider wrote:
I was just trying to help. Better read it yourself
Thanks. I read this as you either don't know or don't want to help. Thanks
anyway for the answers you provided.
--
/ daniel.haxx.se
--
libssh2-devel mailing list
libssh2-devel@lists.haxx.se
htt
On Friday, 31 December 2021 14:54:49 CET Daniel Stenberg wrote:
> On Fri, 31 Dec 2021, Andreas Schneider wrote:
> > * Use only crypto from a FIPS certified library (e.g. OpenSSL).
> >
> > libssh2 doesn't do that yet.
>
> When libssh2 uses OpenSSL for crypto, what else does libssh2 use for crypto
On Fri, 31 Dec 2021, Andreas Schneider wrote:
* Use only crypto from a FIPS certified library (e.g. OpenSSL).
libssh2 doesn't do that yet.
When libssh2 uses OpenSSL for crypto, what else does libssh2 use for crypto
then that makes it not adhere?
* Zero sensitive data before freeing it
I
On Friday, December 31, 2021 12:27:26 PM CET Daniel Stenberg wrote:
> > c) FIPS readiness
>
> How is libssh more ready for FIPS than libssh2?
The easiest way is to pay a company which does FIPS certification to check the
source code for you and produce a list of things which need to be addressed
On Fri, 31 Dec 2021, Andreas Schneider via libssh2-devel wrote:
a) Required features like ciphers and GSSAPI support
When we talk about SSH for curl, the relevance should probably be from a curl
angle where for example libssh in curl also lacks features that curl+libssh2
provides. That's of
On Friday, 31 December 2021 08:43:49 CET Tor Arntsen via libssh2-devel wrote:
> On Fri, 31 Dec 2021 at 02:13, Nicolas Mora via libssh2-devel
> The only part of the Fedora report which looks like an argument is this:
> "the libssh2 library uses outdated cryptographic algorithms and lacks
> important
On Fri, 31 Dec 2021 at 02:13, Nicolas Mora via libssh2-devel
wrote:
> If there is no reason to choose one libssh or another, then it's a lot
> of time spent for no obvious reason IMHO.
The only part of the Fedora report which looks like an argument is this:
"the libssh2 library uses outdated cry
Hello,
I'm the maintainer for the Debian package libssh2.
I didn't know about this bug until you mentioned it Daniel.
I'm sorry if my response is not relevant, I'm the maintainer for not a
long time so I may be missing some context or background.
I'm wondering if there is a technical or secur
FYI:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897950
--
/ daniel.haxx.se
--
libssh2-devel mailing list
libssh2-devel@lists.haxx.se
https://lists.haxx.se/listinfo/libssh2-devel
18 matches
Mail list logo
