[sword-devel] SWORD 1.8.0RC3
Greg Hellings
greg.hellings at gmail.com
Sun Jun 25 18:10:42 MST 2017
Jaak,
Can you provide a version of that patch for 1.7 (and 1.8, if there is a
difference)? Or point me to where it lives? I will definitely wrap that
into the packaging for Fedora and SuSE as it is absolutely inappropriate to
have SSL checking skipped at the library level without it being a very
explicit step for users.
If Troy won't fix this glaring security hole, it can at least be fixed by
the packagers. I would encourage any Debian and/or Ubuntu users to file
bugs against Sword packaging in their environments (if their maintainer
isn't here) and the same for any other distribution users.
--Greg
On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja <jaak at ristioja.ee> wrote:
> Regarding TLS, I think the choice of whether to trust a self-signed
> certificate should explicitly be left to the user at run-time (e.g like
> browsers do), rather than blindly accepting any (even expired?)
> certificates.
>
> Regarding the other fix, frontends can (and already do) handle threading
> by themselves, but afaik even for a single-threaded process the
> callbacks accepted by Sword have no direct means to terminate the
> installation process (e.g. by return value, or via a another callback
> provided to the callback). So it seems that you're either saying that
>
> 1) Sword users have no means to terminate potentially long-running
> processes (and there's no plan to add such means), or
> 2) RemoteTransport::terminate() should never be called separately, but
> exclusively only from inside callbacks invoked by Sword.
>
> In the latter case, this should be made clear in the documentation.
>
> Blessings,
> J
>
> On 25.06.2017 21:53, Troy A. Griffitts wrote:
> > We have included some of your patches in the past (thank you again), but
> > not these. The first is intentional. We want to work with self signed
> > certs if necessary. Non of our content is private, only the fact that a
> > user might access our server and for this, we ask all our frontends to
> > warn against this for persecuted countries. The second goes against our
> > policy in the library that all threading should be handled by the
> > client, not the library. The client should instantiate an InstallMgr in
> > its own thread and register threads are callbacks, if they wish to
> > install in the background. If we start trying to handle threading in the
> > library itself, it is a huge switch from current policy and depends on
> > support for threading in all our compilers. Easy enough to just
> > instantiate separate SWMgr instances per thread. But thank you for
> offering.
> > Troy
> >
> > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja <jaak at ristioja.ee>
> > wrote:
> >
> > Hi Troy!
> >
> > It seems that no fixes from Sword++ were considered for inclusion in
> SVN
> > trunk, not even the two I explicitly proposed on this list in
> response
> > to the RC2 announcement: one fixing hangs in front ends and the other
> > fixing a pure security negligence which rendered SSL/TLS susceptible
> to
> > MitM attacks.
> >
> > ?!?!
> >
> > J
> >
> > On 25.06.2017 18:51, Troy A. Griffitts wrote:
> >
> > Again, thank you to all the testers and reporters of problems
> > for the
> > previous RC and those who contributed fixes. Hopefully, this
> > will stand
> > any scrutiny and become 1.8.0. Please let me know if you have
> > any feedback.
> >
> > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
> >
> >
> > Included since last RC:
> >
> > ------------------------------------------------------------
> ------------
> >
> > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
> > 2 lines
> >
> > Reworked strongs and lemma filters to better support any combo
> > of toggle
> > Added osisxhtml lemma type= support for other than Greek, Hebrew
> > strongs
> > ------------------------------------------------------------
> ------------
> >
> > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
> > 3 lines
> >
> > moved examples/simple.cpp to examples/tasks/
> simpleverselookup.cpp
> >
> > also updated CMakeList.txt to build new examples
> > ------------------------------------------------------------
> ------------
> >
> > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
> > 1 line
> >
> > added listbiblebooknames example
> > ------------------------------------------------------------
> ------------
> >
> > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
> > 1 line
> >
> > added flatapi installmgr example
> > ------------------------------------------------------------
> ------------
> >
> > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
> > 2 lines
> >
> > added Belarussian locale file
> >
> > ------------------------------------------------------------
> ------------
> >
> > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
> > 1 line
> >
> > French translation update (Contrib. from Cyrille)
> > ------------------------------------------------------------
> ------------
> >
> >
> >
> > ------------------------------------------------------------
> ------------
> >
> > sword-devel mailing list: sword-devel at crosswire.org
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> > Instructions to unsubscribe/change your settings at above page
> >
> >
> >
> > ------------------------------------------------------------
> ------------
> >
> > sword-devel mailing list: sword-devel at crosswire.org
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> > Instructions to unsubscribe/change your settings at above page
> >
> >
> > --
> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> >
> >
> > _______________________________________________
> > sword-devel mailing list: sword-devel at crosswire.org
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> > Instructions to unsubscribe/change your settings at above page
> >
>
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/sword-devel/attachments/20170625/a9a12aeb/attachment-0001.html>
More information about the sword-devel
mailing list