[sword-devel] SWORD 1.8.0RC3

Greg Hellings greg.hellings at gmail.com
Sun Jun 25 18:49:11 MST 2017 

On Sun, Jun 25, 2017 at 8:10 PM, Greg Hellings <greg.hellings at gmail.com>
wrote:

> Jaak,
>
> Can you provide a version of that patch for 1.7 (and 1.8, if there is a
> difference)? Or point me to where it lives? I will definitely wrap that
> into the packaging for Fedora and SuSE as it is absolutely inappropriate to
> have SSL checking skipped at the library level without it being a very
> explicit step for users.
>
> If Troy won't fix this glaring security hole, it can at least be fixed by
> the packagers. I would encourage any Debian and/or Ubuntu users to file
> bugs against Sword packaging in their environments (if their maintainer
> isn't here) and the same for any other distribution users.
>

With apologies to Troy, this paragraph carried an implication that I did
not intend. The state of this code in the library is intentionally set.
However, these known and documented security weaknesses are intended to be
closed up by package maintainers of libraries in most distributions (e.g.
SSL/TLS libraries that include weak ciphers that get disabled by package
maintainers, bundlers, etc).  This is one reason that packagers are
encouraged to be and remain close to the development of upstream, as much
as possible, so they can provide reasonably secure defaults in the package
build even if those are not the default setting for upstream for whatever
reason.

I did not mean to impugn Troy or cause him offense.

That said, perhaps a compile-time switch could be added to enable more
security conscious options in the transport code? That way the task of
packagers could be made easier by enabling a more security-conscious option
at build time instead of patching the library.

--Greg


> --Greg
>
> On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja <jaak at ristioja.ee> wrote:
>
>> Regarding TLS, I think the choice of whether to trust a self-signed
>> certificate should explicitly be left to the user at run-time (e.g like
>> browsers do), rather than blindly accepting any (even expired?)
>> certificates.
>>
>> Regarding the other fix, frontends can (and already do) handle threading
>> by themselves, but afaik even for a single-threaded process the
>> callbacks accepted by Sword have no direct means to terminate the
>> installation process (e.g. by return value, or via a another callback
>> provided to the callback). So it seems that you're either saying that
>>
>> 1) Sword users have no means to terminate potentially long-running
>> processes (and there's no plan to add such means), or
>> 2) RemoteTransport::terminate() should never be called separately, but
>> exclusively only from inside callbacks invoked by Sword.
>>
>> In the latter case, this should be made clear in the documentation.
>>
>> Blessings,
>> J
>>
>> On 25.06.2017 21:53, Troy A. Griffitts wrote:
>> > We have included some of your patches in the past (thank you again), but
>> > not these. The first is intentional. We want to work with self signed
>> > certs if necessary. Non of our content is private, only the fact that a
>> > user might access our server and for this, we ask all our frontends to
>> > warn against this for persecuted countries. The second goes against our
>> > policy in the library that all threading should be handled by the
>> > client, not the library. The client should instantiate an InstallMgr in
>> > its own thread and register threads are callbacks, if they wish to
>> > install in the background. If we start trying to handle threading in the
>> > library itself, it is a huge switch from current policy and depends on
>> > support for threading in all our compilers. Easy enough to just
>> > instantiate separate SWMgr instances per thread. But thank you for
>> offering.
>> > Troy
>> >
>> > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja <jaak at ristioja.ee>
>> > wrote:
>> >
>> >     Hi Troy!
>> >
>> >     It seems that no fixes from Sword++ were considered for inclusion
>> in SVN
>> >     trunk, not even the two I explicitly proposed on this list in
>> response
>> >     to the RC2 announcement: one fixing hangs in front ends and the
>> other
>> >     fixing a pure security negligence which rendered SSL/TLS
>> susceptible to
>> >     MitM attacks.
>> >
>> >     ?!?!
>> >
>> >     J
>> >
>> >     On 25.06.2017 18:51, Troy A. Griffitts wrote:
>> >
>> >         Again, thank you to all the testers and reporters of problems
>> >         for the
>> >         previous RC and those who contributed fixes. Hopefully, this
>> >         will stand
>> >         any scrutiny and become 1.8.0. Please let me know if you have
>> >         any feedback.
>> >
>> >         http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>> >
>> >
>> >         Included since last RC:
>> >
>> >         -----------------------------------------------------------
>> -------------
>> >
>> >         r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>> >         2 lines
>> >
>> >         Reworked strongs and lemma filters to better support any combo
>> >         of toggle
>> >         Added osisxhtml lemma type= support for other than Greek, Hebrew
>> >         strongs
>> >         -----------------------------------------------------------
>> -------------
>> >
>> >         r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>> >         3 lines
>> >
>> >         moved examples/simple.cpp to examples/tasks/simpleverselook
>> up.cpp
>> >
>> >         also updated CMakeList.txt to build new examples
>> >         -----------------------------------------------------------
>> -------------
>> >
>> >         r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>> >         1 line
>> >
>> >         added listbiblebooknames example
>> >         -----------------------------------------------------------
>> -------------
>> >
>> >         r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>> >         1 line
>> >
>> >         added flatapi installmgr example
>> >         -----------------------------------------------------------
>> -------------
>> >
>> >         r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>> >         2 lines
>> >
>> >         added Belarussian locale file
>> >
>> >         -----------------------------------------------------------
>> -------------
>> >
>> >         r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>> >         1 line
>> >
>> >         French translation update (Contrib. from Cyrille)
>> >         -----------------------------------------------------------
>> -------------
>> >
>> >
>> >
>> >         -----------------------------------------------------------
>> -------------
>> >
>> >         sword-devel mailing list: sword-devel at crosswire.org
>> >         http://www.crosswire.org/mailman/listinfo/sword-devel
>> >         Instructions to unsubscribe/change your settings at above page
>> >
>> >
>> >
>> >     -----------------------------------------------------------
>> -------------
>> >
>> >     sword-devel mailing list: sword-devel at crosswire.org
>> >     http://www.crosswire.org/mailman/listinfo/sword-devel
>> >     Instructions to unsubscribe/change your settings at above page
>> >
>> >
>> > --
>> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> >
>> >
>> > _______________________________________________
>> > sword-devel mailing list: sword-devel at crosswire.org
>> > http://www.crosswire.org/mailman/listinfo/sword-devel
>> > Instructions to unsubscribe/change your settings at above page
>> >
>>
>>
>> _______________________________________________
>> sword-devel mailing list: sword-devel at crosswire.org
>> http://www.crosswire.org/mailman/listinfo/sword-devel
>> Instructions to unsubscribe/change your settings at above page
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/sword-devel/attachments/20170625/bfb06510/attachment.html>

More information about the sword-devel mailing list