OpenSSL roadmap

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL roadmap

Loganaden Velvindron
Hi guys,

I'm very happy to see the OpenSSL roadmap.

However, I feel  that the developer group is a bit closed
to outsiders.

I requested access to the OpenSSL scan results on coverity,
and up to now, my request is still pending :-(




--
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL roadmap

Salz, Rich
> However, I feel  that the developer group is a bit closed to outsiders.

More communication and transparency is coming, as we have a bigger and more invigorated developer team.  It will take time.  But not everything will always be discussed in public mailing lists right away, parciularly around vulnerabilities.

> I requested access to the OpenSSL scan results on coverity, and up to now,
> my request is still pending :-(

This could be an example of that.  (I don't know, I haven't looked through any reports.)  But I hope that you understand why there might be concerns about doing this.
 
Are there other issues or examples that come to mind?

        /r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz
:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Loganaden Velvindron
On Wed, Jul 2, 2014 at 9:48 PM, Salz, Rich <[hidden email]> wrote:
>> However, I feel  that the developer group is a bit closed to outsiders.
>
> More communication and transparency is coming, as we have a bigger and more invigorated developer team.  It will take time.  But not everything will always be discussed in public mailing lists right away, parciularly around vulnerabilities.
>
>> I requested access to the OpenSSL scan results on coverity, and up to now,
>> my request is still pending :-(
>
> This could be an example of that.  (I don't know, I haven't looked through any reports.)  But I hope that you understand why there might be concerns about doing this.

 I write fixes for pieces of software that I depend on. Some time ago,
I sent a diff for OpenSSL.

If I'm interested in fixing OpenSSL, why shouldn't I have access to
coverity scans ?

Other Open Source projects have provided me access to their coverity
scans, despite the fact that I'm not a committer.



>
> Are there other issues or examples that come to mind?
>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technologies, Cambridge, MA
> IM: [hidden email]; Twitter: RichSalz



--
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL roadmap

Salz, Rich
>  I write fixes for pieces of software that I depend on. Some time ago, I sent a
> diff for OpenSSL.

Great, thanks.

> If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity
> scans ?
>
> Other Open Source projects have provided me access to their coverity scans,
> despite the fact that I'm not a committer.

There are security concerns. For example, the recent heartbleed vulnerability exposed long-term private keys, and user password and all sorts of stuff. This makes OpenSSL software different from something like a packet dump or mail reader. I don't know what the scans say, and I understand your disappointment, but we really need to be careful about making vulnerability scans generally available. And then there is the question of where we draw the line.  I am all in favor of responsible disclosure, but unfortunately the bad guys -- who, yes, may already have coverity or other scans -- are interested as well.

I wish I could give you a nice answer.

        /r$
 
--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz


> -----Original Message-----
> From: [hidden email] [mailto:owner-openssl-
> [hidden email]] On Behalf Of Loganaden Velvindron
> Sent: Wednesday, July 02, 2014 2:24 PM
> To: [hidden email]
> Subject: Re: OpenSSL roadmap
>
> On Wed, Jul 2, 2014 at 9:48 PM, Salz, Rich <[hidden email]> wrote:
> >> However, I feel  that the developer group is a bit closed to outsiders.
> >
> > More communication and transparency is coming, as we have a bigger and
> more invigorated developer team.  It will take time.  But not everything will
> always be discussed in public mailing lists right away, parciularly around
> vulnerabilities.
> >
> >> I requested access to the OpenSSL scan results on coverity, and up to
> >> now, my request is still pending :-(
> >
> > This could be an example of that.  (I don't know, I haven't looked through
> any reports.)  But I hope that you understand why there might be concerns
> about doing this.
>
>
>
>
> >
> > Are there other issues or examples that come to mind?
> >
> >         /r$
> >
> > --
> > Principal Security Engineer
> > Akamai Technologies, Cambridge, MA
> > IM: [hidden email]; Twitter: RichSalz
>
>
>
> --
> This message is strictly personal and the opinions expressed do not
> represent those of my employers, either past or present.
> __________________________________________________________
> ____________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [hidden email]
> Automated List Manager                           [hidden email]
:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Michael Sierchio
In reply to this post by Loganaden Velvindron
On Wed, Jul 2, 2014 at 11:23 AM, Loganaden Velvindron
<[hidden email]> wrote:

> If I'm interested in fixing OpenSSL, why shouldn't I have access to
> coverity scans ?

I'm not a committer, and not a core member, but I am fully prepared to
answer your question. Because the policy of the project says so. If
you show the dedication and commitment to give back to the project and
become a committer, that could change.

> Other Open Source projects have provided me access to their coverity
> scans, despite the fact that I'm not a committer.

That is deeply flawed as an argument, both rhetorically and materially.

- M
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Daniel Reynolds

I agree. Not all open source projects play a major role in securing much of the worlds e commerce.

On Jul 2, 2014 2:52 PM, "Michael Sierchio" <[hidden email]> wrote:
On Wed, Jul 2, 2014 at 11:23 AM, Loganaden Velvindron
<[hidden email]> wrote:

> If I'm interested in fixing OpenSSL, why shouldn't I have access to
> coverity scans ?

I'm not a committer, and not a core member, but I am fully prepared to
answer your question. Because the policy of the project says so. If
you show the dedication and commitment to give back to the project and
become a committer, that could change.

> Other Open Source projects have provided me access to their coverity
> scans, despite the fact that I'm not a committer.

That is deeply flawed as an argument, both rhetorically and materially.

- M
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Loganaden Velvindron
In reply to this post by Salz, Rich
On Wed, Jul 2, 2014 at 10:42 PM, Salz, Rich <[hidden email]> wrote:

>>  I write fixes for pieces of software that I depend on. Some time ago, I sent a
>> diff for OpenSSL.
>
> Great, thanks.
>
>> If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity
>> scans ?
>>
>> Other Open Source projects have provided me access to their coverity scans,
>> despite the fact that I'm not a committer.
>
> There are security concerns. For example, the recent heartbleed vulnerability exposed long-term private keys, and user password and all sorts of stuff. This makes OpenSSL software different from something like a packet dump or mail reader. I don't know what the scans say, and I understand your disappointment, but we really need to be careful about making vulnerability scans generally available. And then there is the question of where we draw the line.  I am all in favor of responsible disclosure, but unfortunately the bad guys -- who, yes, may already have coverity or other scans -- are interested as well.

I reported a vulnerability to FreeBSD (See:
http://www.freebsd.org/security/advisories/FreeBSD-SA-13:12.ifioctl.asc)
by going through responsible disclosure process.

Are you implying that I'm part of the bad guys ?

I'm not asking for the scan results to be made public, but simply
asking for my request not to be left "pending" on my coverity
dashboard, as a contributor.



>
> I wish I could give you a nice answer.
>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technologies, Cambridge, MA
> IM: [hidden email]; Twitter: RichSalz
>
>
>> -----Original Message-----
>> From: [hidden email] [mailto:owner-openssl-
>> [hidden email]] On Behalf Of Loganaden Velvindron
>> Sent: Wednesday, July 02, 2014 2:24 PM
>> To: [hidden email]
>> Subject: Re: OpenSSL roadmap
>>
>> On Wed, Jul 2, 2014 at 9:48 PM, Salz, Rich <[hidden email]> wrote:
>> >> However, I feel  that the developer group is a bit closed to outsiders.
>> >
>> > More communication and transparency is coming, as we have a bigger and
>> more invigorated developer team.  It will take time.  But not everything will
>> always be discussed in public mailing lists right away, parciularly around
>> vulnerabilities.
>> >
>> >> I requested access to the OpenSSL scan results on coverity, and up to
>> >> now, my request is still pending :-(
>> >
>> > This could be an example of that.  (I don't know, I haven't looked through
>> any reports.)  But I hope that you understand why there might be concerns
>> about doing this.
>>
>>
>>
>>
>> >
>> > Are there other issues or examples that come to mind?
>> >
>> >         /r$
>> >
>> > --
>> > Principal Security Engineer
>> > Akamai Technologies, Cambridge, MA
>> > IM: [hidden email]; Twitter: RichSalz
>>
>>
>>
>> --
>> This message is strictly personal and the opinions expressed do not
>> represent those of my employers, either past or present.
>> __________________________________________________________
>> ____________
>> OpenSSL Project                                 http://www.openssl.org
>> Development Mailing List                       [hidden email]
>> Automated List Manager                           [hidden email]



--
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL roadmap

Salz, Rich
No, I don't mean to imply that you are one of the bad guys.  It's just that we have only one real way of knowing who the good guys are, and that is being part of the development team.  Yes, that can be very inconvenient.  Trust me, I know, it took more than 10 years for the team to open up and add me. :)

I don't where your ticket is, but it should be closed.

I know this frustrates you, and I'm sorry about that.

        /r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz

:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Loganaden Velvindron
On Thu, Jul 3, 2014 at 3:10 PM, Salz, Rich <[hidden email]> wrote:
> No, I don't mean to imply that you are one of the bad guys.  It's just that we have only one real way of knowing who the good guys are, and that is being part of the development team.  Yes, that can be very inconvenient.  Trust me, I know, it took more than 10 years for the team to open up and add me. :)
>
> I don't where your ticket is, but it should be closed.
>
> I know this frustrates you, and I'm sorry about that.

I see such trends as leading to dangerous situations in the future.
OpenSSL is widely deployed, and the developers appear to grow older,
according to the various interviews I read. (I don't wish to offend
any of you guys here). What happens if something happens to the core
developers ? Who will take over ?


The roadmap is nice, but if we don't get young developers who can work
their way to maintain the OpenSSL codebase, we're going to hit a huge
problem, in 10 years :-(


>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technologies, Cambridge, MA
> IM: [hidden email]; Twitter: RichSalz
>



--
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Matt Caswell-2
On 3 July 2014 13:01, Loganaden Velvindron <[hidden email]> wrote:
> On Thu, Jul 3, 2014 at 3:10 PM, Salz, Rich <[hidden email]> wrote:
>> No, I don't mean to imply that you are one of the bad guys.  It's just that we have only one real way of knowing who the good guys are, and that is being part of the development team.  Yes, that can be very inconvenient.  Trust me, I know, it took more than 10 years for the team to open up and add me. :)
>>
>> I don't where your ticket is, but it should be closed.

Done.

>>
>> I know this frustrates you, and I'm sorry about that.
>
> I see such trends as leading to dangerous situations in the future.
> OpenSSL is widely deployed, and the developers appear to grow older,
> according to the various interviews I read. (I don't wish to offend
> any of you guys here). What happens if something happens to the core
> developers ? Who will take over ?
>
>
> The roadmap is nice, but if we don't get young developers who can work
> their way to maintain the OpenSSL codebase, we're going to hit a huge
> problem, in 10 years :-(
>

I think your criticism might have been valid in the past - but not any
longer. The team have recognised that new blood is required, and that
is why the team has doubled in size in the last couple of months.

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Theodore Ts'o-2
In reply to this post by Loganaden Velvindron
On Thu, Jul 03, 2014 at 04:01:16PM +0400, Loganaden Velvindron wrote:

>
> I see such trends as leading to dangerous situations in the future.
> OpenSSL is widely deployed, and the developers appear to grow older,
> according to the various interviews I read. (I don't wish to offend
> any of you guys here). What happens if something happens to the core
> developers ? Who will take over ?
>
> The roadmap is nice, but if we don't get young developers who can work
> their way to maintain the OpenSSL codebase, we're going to hit a huge
> problem, in 10 years :-(

There are two several issues being conflated here.  One is how
security disclosures get handled and who gets access to things like
free open source Coverity scans.  In the linux kernel, we do have a
closed [hidden email] list, but that's separate from those core
maintainers, and things only kept quiet a relatively short period of
time --- typically only a week, and the distributions know and expect
that they need to turn around a new package in a short window of time,
but that's Linus's strong preference since he doesn't believe a longer
window does anything but reward incompetent release processes at
various distributions.  (Given that Microsoft has weekly "patch
Tuesdays", if even slow moving *Microsoft* can turn around a security
update in a week, what's your excuse?  :-)

However, in the kernel we are much more lax about who gets access to
the Coverity project.  Part of this is the sure and certain knowledge
that the bad guys are quite willing to pay for a Coverity license, and
so for us the balance of increasing the pool of those can who are
looking through the Coverity scans, and contribute to fix bugs, and
thus grow the development community, tips in favor of being more open
about who gets access to Coverity.

This is in turn *completely* different from who participates in the
development community.  Note that with git, you don't have to have
committer access in order to contribute.  In fact, with Linux, only
one person --- Linus Torvalds --- has access to merge in changes into
the tree, and while we don't have a closed mailing list only open to
committers, that's because Linus isn't known to be Schizophrenic, so
he doesn't talk to himself, and he certainly doesn't need to conduct
closed votes amongst himself.  He's a *dictator*, after all.

And yet, the Linux kernel has a pretty healthy development community.

I'd submit that the better metric of developer community health is
looking to see who has actually authored patches that have gotten
merged into the git tree, on a monthly/quarterly/annual basis.  And in
fact, I'm trying to see if we can get the folks who are doing the
annual "who writes Linux" reports can do a similar analysis on the
OpenSSL git tree, and make the results public for all to see.  After
all, as the saying goes, you get what you measure.


I personally think that sending patches for review on the mailing list
is actually healthier than just hiding it in request tracker or github
pull requests, since it invites a much larger set of people who has at
least *looked* at the patch.  But that's an implementation detail, and
as someone who isn't an OpenSSL developer, I don't have standing to
make suggestions like that.  And also, does it matter?  If a year from
now, the statistics show that patches aren't getting merged from a
growing set of people, one of the wonderful things about git is that
it makes forks so much easier.  And if a bunch of young Turks are
upset that the old dinosaurs aren't letting them into the clubhouse,
they can always fork the git repo and make their own version --- and
that's a good thing.

Because when it's that easy to fork, paradoxically it changes the
incentives to make forks much less likely --- and if they do happen,
git makes it a lot easier to merge and cherry pick changes back from
forks into whatever development tree is acknowledged by the majority
of the development and user community as being the mainline branch.
It was really important to Linus Torvalds that his tree not be special
compared to any other tree in the git "forest", for this very reason.

Cheers,

                                                - Ted
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Tomas Mraz-2
On Čt, 2014-07-03 at 09:13 -0400, Theodore Ts'o wrote:
> However, in the kernel we are much more lax about who gets access to
> the Coverity project.  Part of this is the sure and certain knowledge
> that the bad guys are quite willing to pay for a Coverity license, and
> so for us the balance of increasing the pool of those can who are
> looking through the Coverity scans, and contribute to fix bugs, and
> thus grow the development community, tips in favor of being more open
> about who gets access to Coverity.

Yes, the real bad guys can surely buy Coverity license, they can even
write similar tools themselves. So once is something found by Coverity
scan it should be considered as public knowledge anyway. Manual review
by real people is something very different.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Ben Laurie-2
In reply to this post by Theodore Ts'o-2
On 3 July 2014 14:13, Theodore Ts'o <[hidden email]> wrote:
> However, in the kernel we are much more lax about who gets access to
> the Coverity project.  Part of this is the sure and certain knowledge
> that the bad guys are quite willing to pay for a Coverity license, and
> so for us the balance of increasing the pool of those can who are
> looking through the Coverity scans, and contribute to fix bugs, and
> thus grow the development community, tips in favor of being more open
> about who gets access to Coverity.

Right, I agree, but clearly there isn't unanimity amongst the dev
team. I think we'd be a bit more relaxed if we were actually on top of
Coverity, which I would hope would happen soon, now we have full-time
developer(s).
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: OpenSSL roadmap

Salz, Rich
In reply to this post by Theodore Ts'o-2
> release processes at various distributions.  (Given that Microsoft has weekly
> "patch Tuesdays", if even slow moving *Microsoft* can turn around a
> security update in a week, what's your excuse?  :-)

They have a regular release train, but it doesn't mean that everything gets fixed in one week.  Sorry to stomp your punchline.

        /r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Ben Laurie-2
On 3 July 2014 15:28, Salz, Rich <[hidden email]> wrote:
>> release processes at various distributions.  (Given that Microsoft has weekly
>> "patch Tuesdays", if even slow moving *Microsoft* can turn around a
>> security update in a week, what's your excuse?  :-)
>
> They have a regular release train, but it doesn't mean that everything gets fixed in one week.  Sorry to stomp your punchline.

3 months to a year is more usual. :-)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL roadmap

Kurt Roeckx
In reply to this post by Theodore Ts'o-2
On Thu, Jul 03, 2014 at 09:13:43AM -0400, Theodore Ts'o wrote:
> (Given that Microsoft has weekly "patch
> Tuesdays", if even slow moving *Microsoft* can turn around a security
> update in a week, what's your excuse?  :-)

As far as I know, patch Tuesday is the 2nd Tuesday of the month.
But wikipedia says it's the 2nd and the 4th.  In my expierence I
normally only get updates the day after the 2nd Tuesday.

That of course doesn't mean we shouldn't aim for 1 week.


Kurt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]