[sword-devel] SWORD 1.8.0RC3
Jaak Ristioja
jaak at ristioja.ee
Mon Jun 26 02:26:10 MST 2017
I think we need to make a distinction between developers and end users
here. IMHO it were best if the end user were presented with a choice
about whether to trust the self-signed, unverified or invalid
certificates, and perhaps also provide means to trust the presented
certificate permanently.
PS: I haven't tested it, but adding the self-signed certificates to the
root CA store might be a valid workaround for development purposes.
On 26.06.2017 12:15, Peter Von Kaehne wrote:
> Fair point, but a change from one to the other may be preferable for philosophical reasons, but practically I - and others - need to be able as users to make a determination what we want to accept and what not, instead of being forced into one direction. And, as tool writer and user (not frontend writer) I need to be able to override such things mechanically, i.e. without further user interaction.
>
>> Gesendet: Montag, 26. Juni 2017 um 10:04 Uhr
>> Von: "Jaak Ristioja" <jaak at ristioja.ee>
>> An: sword-devel at crosswire.org
>> Betreff: Re: [sword-devel] SWORD 1.8.0RC3
>>
>> Overriding this setting was never possible with Sword in the first place.
>>
>> On 26.06.2017 11:05, refdoc at gmx.net wrote:
>>> As a user I would want to be able to override this, does this patch make
>>> this impossible?
>>>
>>> Sent from my mobile. Please forgive shortness, typos and weird autocorrects.
>>>
>>>
>>> -------- Original Message --------
>>> Subject: Re: [sword-devel] SWORD 1.8.0RC3
>>> From: Jaak Ristioja
>>> To: sword-devel at crosswire.org
>>> CC:
>>>
>>>
>>> Sure! Verifying TLS certificates is explicitly disabled the file
>>>
>>> src/mgr/curlhttpt.cpp
>>>
>>> by the lines:
>>>
>>> /* Disable checking host certificate */
>>> curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false);
>>>
>>> I've attached a patch for Sword SVN trunk which removed these lines. For
>>> the Sword++ commit, see
>>> https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6
>>>
>>> J
>>>
>>>
>>> On 26.06.2017 04:10, Greg Hellings wrote:
>>> > Jaak,
>>> >
>>> > Can you provide a version of that patch for 1.7 (and 1.8, if there
>>> is a
>>> > difference)? Or point me to where it lives? I will definitely wrap
>>> that
>>> > into the packaging for Fedora and SuSE as it is absolutely
>>> inappropriate
>>> > to have SSL checking skipped at the library level without it being a
>>> > very explicit step for users.
>>> >
>>> > If Troy won't fix this glaring security hole, it can at least be fixed
>>> > by the packagers. I would encourage any Debian and/or Ubuntu users to
>>> > file bugs against Sword packaging in their environments (if their
>>> > maintainer isn't here) and the same for any other distribution users.
>>> >
>>> > --Greg
>>> >
>>> > On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote:
>>> >
>>> > Regarding TLS, I think the choice of whether to trust a self-signed
>>> > certificate should explicitly be left to the user at run-time (e.g
>>> like
>>> > browsers do), rather than blindly accepting any (even expired?)
>>> > certificates.
>>> >
>>> > Regarding the other fix, frontends can (and already do) handle
>>> threading
>>> > by themselves, but afaik even for a single-threaded process the
>>> > callbacks accepted by Sword have no direct means to terminate the
>>> > installation process (e.g. by return value, or via a another callback
>>> > provided to the callback). So it seems that you're either saying that
>>> >
>>> > 1) Sword users have no means to terminate potentially long-running
>>> > processes (and there's no plan to add such means), or
>>> > 2) RemoteTransport::terminate() should never be called separately, but
>>> > exclusively only from inside callbacks invoked by Sword.
>>> >
>>> > In the latter case, this should be made clear in the documentation.
>>> >
>>> > Blessings,
>>> > J
>>> >
>>> > On 25.06.2017 21 :53, Troy A. Griffitts wrote:
>>> > > We have included some of your patches in the past (thank you
>>> > again), but
>>> > > not these. The first is intentional. We want to work with self
>>> signed
>>> > > certs if necessary. Non of our content is private, only the fact
>>> > that a
>>> > > user might access our server and for this, we ask all our
>>> frontends to
>>> > > warn against this for persecuted countries. The second goes
>>> > against our
>>> > > policy in the library that all threading should be handled by the
>>> > > client, not the library. The client should instantiate an
>>> > InstallMgr in
>>> > > its own thread and register threads are callbacks, if they wish to
>>> > > install in the background. If we start trying to handle threading
>>> > in the
>>> > > library itself, it is a huge switch from current policy and
>>> depends on
>>> > > support for threading in all our compilers. Easy enough to just
>>> > > instantiate separate SWMgr instances per thread. But thank you for
>>> > offering.
>>> > > Troy
>>> > >
>>> > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja
>>> > >
>>> > > wrote:
>>> > >
>>> > > Hi Troy!
>>> > >
>>> > > It seems that no fixes from Sword++ were considered for
>>> > inclusion in SVN
>>> > > trunk, not even the two I explicitly proposed on this list in
>>> > response
>>> > > to the RC2 announcement: one fixing hangs in front ends and
>>> > the other
>>> > > fixing a pure security negligence which rendered SSL/TLS
>>> > susceptible to
>>> > > MitM attacks.
>>> > >
>>> > > ?!?!
>>> > >
>>> > > J
>>> > >
>>> > > On 25.06.2017 18 :51, Troy A. Griffitts
>>> > wrote:
>>> > >
>>> > > Again, thank you to all the testers and reporters of problems
>>> > > for the
>>> > > previous RC and those who contributed fixes. Hopefully, this
>>> > > will stand
>>> > > any scrutiny and become 1.8.0. Please let me know if you have
>>> > > any feedback.
>>> > >
>>> > >
>>> > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz
>>> >
>>> > >
>>> > >
>>> > > Included since last RC:
>>> > >
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > >
>>> > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) |
>>> > > 2 lines
>>> > >
>>> > > Reworked strongs and lemma filters to better support any combo
>>> > > of toggle
>>> > > Added osisxhtml lemma type= support for other than Greek, Hebrew
>>> > > strongs
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > >
>>> > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) |
>>> > > 3 lines
>>> > >
>>> > > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp
>>> > >
>>> > > also updated CMakeList.txt to build new examples
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > >
>>> > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) |
>>> > > 1 line
>>> > >
>>> > > added listbiblebooknames example
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > >
>>> > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) |
>>> > > 1 line
>>> > >
>>> > > added flatapi installmgr example
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > >
>>> > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) |
>>> > > 2 lines
>>> > >
>>> > > added Belarussian locale file
>>> > >
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > >
>>> > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) |
>>> > > 1 line
>>> > >
>>> > > French translation update (Contrib. from Cyrille)
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > >
>>> > > sword-devel mailing list: sword-devel at crosswire.org
>>> > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>> >
>>> > > Instructions to unsubscribe/change your settings at above page
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > >
>>> > > sword-devel mailing list: sword-devel at crosswire.org
>>> > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>> >
>>> > > Instructions to unsubscribe/change your settings at above page
>>> > >
>>> > >
>>> > > --
>>> > > Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>> > >
>>> > >
>>> > > _______________________________________________
>>> > > sword-devel mailing list: sword-devel at crosswire.org
>>> > > http://www.crosswire.org/mailman/listinfo/sword-devel
>>> >
>>> > > Instructions to unsubscribe/change your settings at above page
>>> > >
>>> >
>>> >
>>> > _______________________________________________
>>> > sword-devel mailing list: sword-devel at crosswire.org
>>> >
>>> > http://www.crosswire.org/mailman/listinfo/sword-devel
>>> >
>>> > Instructions to unsubscribe/change your settings at above page
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > sword-devel mailing list: sword-devel at crosswire.org
>>> > http://www.crosswire.org/mailman/listinfo/sword-devel
>>> > Instructions to unsubscribe/change your settings at above page
>>> >
>>>
>>>
>>> _______________________________________________
>>> sword-devel mailing list: sword-devel at crosswire.org
>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>> Instructions to unsubscribe/change your settings at above page
>>>
>>>
>>>
>>> _______________________________________________
>>> sword-devel mailing list: sword-devel at crosswire.org
>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>> Instructions to unsubscribe/change your settings at above page
>>>
>>
>>
>> _______________________________________________
>> sword-devel mailing list: sword-devel at crosswire.org
>> http://www.crosswire.org/mailman/listinfo/sword-devel
>> Instructions to unsubscribe/change your settings at above page
>>
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>
More information about the sword-devel
mailing list