Jaak, Can you provide a version of that patch for 1.7 (and 1.8, if there is a difference)? Or point me to where it lives? I will definitely wrap that into the packaging for Fedora and SuSE as it is absolutely inappropriate to have SSL checking skipped at the library level without it being a very explicit step for users.
If Troy won't fix this glaring security hole, it can at least be fixed by the packagers. I would encourage any Debian and/or Ubuntu users to file bugs against Sword packaging in their environments (if their maintainer isn't here) and the same for any other distribution users. --Greg On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja <j...@ristioja.ee> wrote: > Regarding TLS, I think the choice of whether to trust a self-signed > certificate should explicitly be left to the user at run-time (e.g like > browsers do), rather than blindly accepting any (even expired?) > certificates. > > Regarding the other fix, frontends can (and already do) handle threading > by themselves, but afaik even for a single-threaded process the > callbacks accepted by Sword have no direct means to terminate the > installation process (e.g. by return value, or via a another callback > provided to the callback). So it seems that you're either saying that > > 1) Sword users have no means to terminate potentially long-running > processes (and there's no plan to add such means), or > 2) RemoteTransport::terminate() should never be called separately, but > exclusively only from inside callbacks invoked by Sword. > > In the latter case, this should be made clear in the documentation. > > Blessings, > J > > On 25.06.2017 21:53, Troy A. Griffitts wrote: > > We have included some of your patches in the past (thank you again), but > > not these. The first is intentional. We want to work with self signed > > certs if necessary. Non of our content is private, only the fact that a > > user might access our server and for this, we ask all our frontends to > > warn against this for persecuted countries. The second goes against our > > policy in the library that all threading should be handled by the > > client, not the library. The client should instantiate an InstallMgr in > > its own thread and register threads are callbacks, if they wish to > > install in the background. If we start trying to handle threading in the > > library itself, it is a huge switch from current policy and depends on > > support for threading in all our compilers. Easy enough to just > > instantiate separate SWMgr instances per thread. But thank you for > offering. > > Troy > > > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja <j...@ristioja.ee> > > wrote: > > > > Hi Troy! > > > > It seems that no fixes from Sword++ were considered for inclusion in > SVN > > trunk, not even the two I explicitly proposed on this list in > response > > to the RC2 announcement: one fixing hangs in front ends and the other > > fixing a pure security negligence which rendered SSL/TLS susceptible > to > > MitM attacks. > > > > ?!?! > > > > J > > > > On 25.06.2017 18:51, Troy A. Griffitts wrote: > > > > Again, thank you to all the testers and reporters of problems > > for the > > previous RC and those who contributed fixes. Hopefully, this > > will stand > > any scrutiny and become 1.8.0. Please let me know if you have > > any feedback. > > > > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz > > > > > > Included since last RC: > > > > ------------------------------------------------------------ > ------------ > > > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) | > > 2 lines > > > > Reworked strongs and lemma filters to better support any combo > > of toggle > > Added osisxhtml lemma type= support for other than Greek, Hebrew > > strongs > > ------------------------------------------------------------ > ------------ > > > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) | > > 3 lines > > > > moved examples/simple.cpp to examples/tasks/ > simpleverselookup.cpp > > > > also updated CMakeList.txt to build new examples > > ------------------------------------------------------------ > ------------ > > > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) | > > 1 line > > > > added listbiblebooknames example > > ------------------------------------------------------------ > ------------ > > > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) | > > 1 line > > > > added flatapi installmgr example > > ------------------------------------------------------------ > ------------ > > > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) | > > 2 lines > > > > added Belarussian locale file > > > > ------------------------------------------------------------ > ------------ > > > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) | > > 1 line > > > > French translation update (Contrib. from Cyrille) > > ------------------------------------------------------------ > ------------ > > > > > > > > ------------------------------------------------------------ > ------------ > > > > sword-devel mailing list: sword-devel@crosswire.org > > http://www.crosswire.org/mailman/listinfo/sword-devel > > Instructions to unsubscribe/change your settings at above page > > > > > > > > ------------------------------------------------------------ > ------------ > > > > sword-devel mailing list: sword-devel@crosswire.org > > http://www.crosswire.org/mailman/listinfo/sword-devel > > Instructions to unsubscribe/change your settings at above page > > > > > > -- > > Sent from my Android device with K-9 Mail. Please excuse my brevity. > > > > > > _______________________________________________ > > sword-devel mailing list: sword-devel@crosswire.org > > http://www.crosswire.org/mailman/listinfo/sword-devel > > Instructions to unsubscribe/change your settings at above page > > > > > _______________________________________________ > sword-devel mailing list: sword-devel@crosswire.org > http://www.crosswire.org/mailman/listinfo/sword-devel > Instructions to unsubscribe/change your settings at above page >
_______________________________________________ sword-devel mailing list: sword-devel@crosswire.org http://www.crosswire.org/mailman/listinfo/sword-devel Instructions to unsubscribe/change your settings at above page
