[sword-devel] SWORD 1.8.0RC3

Greg Hellings greg.hellings at gmail.com
Sun Jun 25 18:10:42 MST 2017 

Jaak,

Can you provide a version of that patch for 1.7 (and 1.8, if there is a
difference)? Or point me to where it lives? I will definitely wrap that
into the packaging for Fedora and SuSE as it is absolutely inappropriate to
have SSL checking skipped at the library level without it being a very
explicit step for users.

If Troy won't fix this glaring security hole, it can at least be fixed by
the packagers. I would encourage any Debian and/or Ubuntu users to file
bugs against Sword packaging in their environments (if their maintainer
isn't here) and the same for any other distribution users.

--Greg

On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja <jaak at ristioja.ee> wrote:

> Regarding TLS, I think the choice of whether to trust a self-signed
> certificate should explicitly be left to the user at run-time (e.g like
> browsers do), rather than blindly accepting any (even expired?)
> certificates.
>
> Regarding the other fix, frontends can (and already do) handle threading
> by themselves, but afaik even for a single-threaded process the
> callbacks accepted by Sword have no direct means to terminate the
> installation process (e.g. by return value, or via a another callback
> provided to the callback). So it seems that you're either saying that
>
> 1) Sword users have no means to terminate potentially long-running
> processes (and there's no plan to add such means), or
> 2) RemoteTransport::terminate() should never be called separately, but
> exclusively only from inside callbacks invoked by Sword.
>
> In the latter case, this should be made clear in the documentation.
>
> Blessings,
> J
>
> On 25.06.2017 21:53, Troy A. Griffitts wrote:
> > We have included some of your patches in the past (thank you again), but
> > not these. The first is intentional. We want to work with self signed
> > certs if necessary. Non of our content is private, only the fact that a
> > user might access our server and for this, we ask all our frontends to
> > warn against this for persecuted countries. The second goes against our
> > policy in the library that all threading should be handled by the
> > client, not the library. The client should instantiate an InstallMgr in
> > its own thread and register threads are callbacks, if they wish to
> > install in the background. If we start trying to handle threading in the
> > library itself, it is a huge switch from current policy and depends on
> > support for threading in all our compilers. Easy enough to just
> > instantiate separate SWMgr instances per thread. But thank you for
> offering.
> > Troy
> >
> > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja <jaak at ristioja.ee>
> > wrote:
> >
> >     Hi Troy!
> >
> >     It seems that no fixes from Sword++ were considered for inclusion in
> SVN
> >     trunk, not even the two I explicitly proposed on this list in
> response
> >     to the RC2 announcement: one fixing hangs in front ends and the other
> >     fixing a pure security negligence which rendered SSL/TLS susceptible
> to
> >     MitM attacks.
> >
> >     ?!?!
> >
> >     J
> >
> >     On 25.06.2017 18:51, Troy A. Griffitts wrote:
> >
> >         Again, thank you to all the testers and reporters of problems
> >         for the
> >         previous RC and those who contributed fixes. Hopefully, this
> >         will stand
> >         any scrutiny and become 1.8.0. Please let me know if you have
> >         any feedback.
> >
> >         http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
> >
> >
> >         Included since last RC:
> >
> >         ------------------------------------------------------------
> ------------
> >
> >         r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
> >         2 lines
> >
> >         Reworked strongs and lemma filters to better support any combo
> >         of toggle
> >         Added osisxhtml lemma type= support for other than Greek, Hebrew
> >         strongs
> >         ------------------------------------------------------------
> ------------
> >
> >         r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
> >         3 lines
> >
> >         moved examples/simple.cpp to examples/tasks/
> simpleverselookup.cpp
> >
> >         also updated CMakeList.txt to build new examples
> >         ------------------------------------------------------------
> ------------
> >
> >         r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
> >         1 line
> >
> >         added listbiblebooknames example
> >         ------------------------------------------------------------
> ------------
> >
> >         r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
> >         1 line
> >
> >         added flatapi installmgr example
> >         ------------------------------------------------------------
> ------------
> >
> >         r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
> >         2 lines
> >
> >         added Belarussian locale file
> >
> >         ------------------------------------------------------------
> ------------
> >
> >         r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
> >         1 line
> >
> >         French translation update (Contrib. from Cyrille)
> >         ------------------------------------------------------------
> ------------
> >
> >
> >
> >         ------------------------------------------------------------
> ------------
> >
> >         sword-devel mailing list: sword-devel at crosswire.org
> >         http://www.crosswire.org/mailman/listinfo/sword-devel
> >         Instructions to unsubscribe/change your settings at above page
> >
> >
> >
> >     ------------------------------------------------------------
> ------------
> >
> >     sword-devel mailing list: sword-devel at crosswire.org
> >     http://www.crosswire.org/mailman/listinfo/sword-devel
> >     Instructions to unsubscribe/change your settings at above page
> >
> >
> > --
> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> >
> >
> > _______________________________________________
> > sword-devel mailing list: sword-devel at crosswire.org
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> > Instructions to unsubscribe/change your settings at above page
> >
>
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/sword-devel/attachments/20170625/a9a12aeb/attachment-0001.html>

More information about the sword-devel mailing list