Re: [openssl.org #3375] Patch: Off-by-one errors in ssl_cipher_get_evp()
On 12 June 2014 23:15, Matt Caswell m...@openssl.org wrote: On 12/06/14 22:43, Otto Moerbeek wrote: On Thu, Jun 12, 2014 at 10:26:56PM +0200, Matt Caswell via RT wrote: Patch applied: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=abfb989fe0b749ad61f1aa4cdb0ea4f952fc13e0 Many thanks for your contribution. Matt http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c.diff?r1=1.38;r2=1.39 Again no attribution in problem report and commit. Claiming independent discovery is not going to be credible. The commit *is* attributed. The author is listed as Kurt Cancemi - this is as it is attributed in the patch supplied in the problem report. I presume he meant in the OpenBSD repo... Kurt does not appear to be attributed there: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c?rev=1.39. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3375] Patch: Off-by-one errors in ssl_cipher_get_evp()
On Sat, Jun 21, 2014 at 06:15:28PM +0100, Ben Laurie wrote: On 12 June 2014 23:15, Matt Caswell m...@openssl.org wrote: On 12/06/14 22:43, Otto Moerbeek wrote: On Thu, Jun 12, 2014 at 10:26:56PM +0200, Matt Caswell via RT wrote: Patch applied: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=abfb989fe0b749ad61f1aa4cdb0ea4f952fc13e0 Many thanks for your contribution. Matt http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c.diff?r1=1.38;r2=1.39 Again no attribution in problem report and commit. Claiming independent discovery is not going to be credible. The commit *is* attributed. The author is listed as Kurt Cancemi - this is as it is attributed in the patch supplied in the problem report. I presume he meant in the OpenBSD repo... Kurt does not appear to be attributed there: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c?rev=1.39. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org You care confusing the matter. Kurt already expained he got the fix from OpenBSD. After that explanation, the OpenSSL repo was fixed to contain the attribution. -Otto __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3375] Patch: Off-by-one errors in ssl_cipher_get_evp()
On Sat, Jun 21, 2014 at 08:51:35PM +0200, Otto Moerbeek wrote: You care confusing the matter. Kurt already expained he got the fix from OpenBSD. After that explanation, the OpenSSL repo was fixed to contain the attribution. Hi. I can't seem to find the attribution fix you allude to. Can you provide a link? --mancha pgpB_rbIzvfJz.pgp Description: PGP signature
Re: [openssl.org #3375] Patch: Off-by-one errors in ssl_cipher_get_evp()
On 21 June 2014 19:51, Otto Moerbeek o...@drijf.net wrote: You care confusing the matter. Kurt already expained he got the fix from OpenBSD. After that explanation, the OpenSSL repo was fixed to contain the attribution. I think we are all getting confused in this thread! :-) Otto - I think you are confusing the other case of missing attribution with this one. The other case was fixed, this one has not been. I was hoping that Kurt Cancemi would explain whether he got the patch from OpenBSD or independently discovered it. I haven't seen a response - are you saying that you have Otto? I am happy to fix the repo to correctly attribute the fix, if that is the right course of action. To be honest in the absence of a response from Kurt I am unsure what the right thing to do is!? Given that its been a week since this occurred, a compromise could be to fix the repo by keeping the commit as it is with its attribution, but adding an additional comment saying that we note that OpenBSD also discovered this issue on 24th May. Is that acceptable? (NB: by fixing the repo I mean, adding a revert commit, and reapplying the change...I can't actually rewrite history) Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3375] Patch: Off-by-one errors in ssl_cipher_get_evp()
On Sat, Jun 21, 2014 at 09:58:33PM +0100, Matt Caswell wrote: On 21 June 2014 19:51, Otto Moerbeek o...@drijf.net wrote: You care confusing the matter. Kurt already expained he got the fix from OpenBSD. After that explanation, the OpenSSL repo was fixed to contain the attribution. I think we are all getting confused in this thread! :-) Otto - I think you are confusing the other case of missing attribution with this one. The other case was fixed, this one has not been. I was hoping that Kurt Cancemi would explain whether he got the patch from OpenBSD or independently discovered it. I haven't seen a response - are you saying that you have Otto? I am happy to fix the repo to correctly attribute the fix, if that is the right course of action. To be honest in the absence of a response from Kurt I am unsure what the right thing to do is!? Given that its been a week since this occurred, a compromise could be to fix the repo by keeping the commit as it is with its attribution, but adding an additional comment saying that we note that OpenBSD also discovered this issue on 24th May. Is that acceptable? (NB: by fixing the repo I mean, adding a revert commit, and reapplying the change...I can't actually rewrite history) Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org Oh yes, I see. Sorry for adding to the confusion... Kurt, any comment? -Otto __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
