[sword-devel] SWORD 1.8.0RC3
Jaak Ristioja
jaak at ristioja.ee
Mon Jun 26 02:04:22 MST 2017
Overriding this setting was never possible with Sword in the first place.
On 26.06.2017 11:05, refdoc at gmx.net wrote:
> As a user I would want to be able to override this, does this patch make
> this impossible?
>
> Sent from my mobile. Please forgive shortness, typos and weird autocorrects.
>
>
> -------- Original Message --------
> Subject: Re: [sword-devel] SWORD 1.8.0RC3
> From: Jaak Ristioja
> To: sword-devel at crosswire.org
> CC:
>
>
> Sure! Verifying TLS certificates is explicitly disabled the file
>
> src/mgr/curlhttpt.cpp
>
> by the lines:
>
> /* Disable checking host certificate */
> curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);
>
> I've attached a patch for Sword SVN trunk which removed these lines. For
> the Sword++ commit, see
> https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6
>
> J
>
>
> On 26.06.2017 04:10, Greg Hellings wrote:
> > Jaak,
> >
> > Can you provide a version of that patch for 1.7 (and 1.8, if there
> is a
> > difference)? Or point me to where it lives? I will definitely wrap
> that
> > into the packaging for Fedora and SuSE as it is absolutely
> inappropriate
> > to have SSL checking skipped at the library level without it being a
> > very explicit step for users.
> >
> > If Troy won't fix this glaring security hole, it can at least be fixed
> > by the packagers. I would encourage any Debian and/or Ubuntu users to
> > file bugs against Sword packaging in their environments (if their
> > maintainer isn't here) and the same for any other distribution users.
> >
> > --Greg
> >
> > On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote:
> >
> > Regarding TLS, I think the choice of whether to trust a self-signed
> > certificate should explicitly be left to the user at run-time (e.g
> like
> > browsers do), rather than blindly accepting any (even expired?)
> > certificates.
> >
> > Regarding the other fix, frontends can (and already do) handle
> threading
> > by themselves, but afaik even for a single-threaded process the
> > callbacks accepted by Sword have no direct means to terminate the
> > installation process (e.g. by return value, or via a another callback
> > provided to the callback). So it seems that you're either saying that
> >
> > 1) Sword users have no means to terminate potentially long-running
> > processes (and there's no plan to add such means), or
> > 2) RemoteTransport::terminate() should never be called separately, but
> > exclusively only from inside callbacks invoked by Sword.
> >
> > In the latter case, this should be made clear in the documentation.
> >
> > Blessings,
> > J
> >
> > On 25.06.2017 21 :53, Troy A. Griffitts wrote:
> > > We have included some of your patches in the past (thank you
> > again), but
> > > not these. The first is intentional. We want to work with self
> signed
> > > certs if necessary. Non of our content is private, only the fact
> > that a
> > > user might access our server and for this, we ask all our
> frontends to
> > > warn against this for persecuted countries. The second goes
> > against our
> > > policy in the library that all threading should be handled by the
> > > client, not the library. The client should instantiate an
> > InstallMgr in
> > > its own thread and register threads are callbacks, if they wish to
> > > install in the background. If we start trying to handle threading
> > in the
> > > library itself, it is a huge switch from current policy and
> depends on
> > > support for threading in all our compilers. Easy enough to just
> > > instantiate separate SWMgr instances per thread. But thank you for
> > offering.
> > > Troy
> > >
> > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
> > >
> > > wrote:
> > >
> > > Hi Troy!
> > >
> > > It seems that no fixes from Sword++ were considered for
> > inclusion in SVN
> > > trunk, not even the two I explicitly proposed on this list in
> > response
> > > to the RC2 announcement: one fixing hangs in front ends and
> > the other
> > > fixing a pure security negligence which rendered SSL/TLS
> > susceptible to
> > > MitM attacks.
> > >
> > > ?!?!
> > >
> > > J
> > >
> > > On 25.06.2017 18 :51, Troy A. Griffitts
> > wrote:
> > >
> > > Again, thank you to all the testers and reporters of problems
> > > for the
> > > previous RC and those who contributed fixes. Hopefully, this
> > > will stand
> > > any scrutiny and become 1.8.0. Please let me know if you have
> > > any feedback.
> > >
> > >
> > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
> >
> > >
> > >
> > > Included since last RC:
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
> > > 2 lines
> > >
> > > Reworked strongs and lemma filters to better support any combo
> > > of toggle
> > > Added osisxhtml lemma type= support for other than Greek, Hebrew
> > > strongs
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
> > > 3 lines
> > >
> > > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
> > >
> > > also updated CMakeList.txt to build new examples
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
> > > 1 line
> > >
> > > added listbiblebooknames example
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
> > > 1 line
> > >
> > > added flatapi installmgr example
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
> > > 2 lines
> > >
> > > added Belarussian locale file
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
> > > 1 line
> > >
> > > French translation update (Contrib. from Cyrille)
> > >
> >
> ------------------------------------------------------------------------
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > sword-devel mailing list: sword-devel at crosswire.org
> > > http://www.crosswire.org/mailman/listinfo/sword-devel
> >
> > > Instructions to unsubscribe/change your settings at above page
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > sword-devel mailing list: sword-devel at crosswire.org
> > > http://www.crosswire.org/mailman/listinfo/sword-devel
> >
> > > Instructions to unsubscribe/change your settings at above page
> > >
> > >
> > > --
> > > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> > >
> > >
> > > _______________________________________________
> > > sword-devel mailing list: sword-devel at crosswire.org
> > > http://www.crosswire.org/mailman/listinfo/sword-devel
> >
> > > Instructions to unsubscribe/change your settings at above page
> > >
> >
> >
> > _______________________________________________
> > sword-devel mailing list: sword-devel at crosswire.org
> >
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> >
> > Instructions to unsubscribe/change your settings at above page
> >
> >
> >
> >
> > _______________________________________________
> > sword-devel mailing list: sword-devel at crosswire.org
> > http://www.crosswire.org/mailman/listinfo/sword-devel
> > Instructions to unsubscribe/change your settings at above page
> >
>
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>
>
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>
More information about the sword-devel
mailing list