Date: Wed, 20 Jun 2018 09:49:03 -0700 From: Stephen Kiernan <hackagadget@gmail.com> To: cem@freebsd.org Cc: Ian Lepore <ian@freebsd.org>, "Simon J. Gerraty" <sjg@juniper.net>, svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers <src-committers@freebsd.org> Subject: Re: svn commit: r335402 - head/sbin/veriexecctl Message-ID: <CAEm%2B2uVXQc7%2Bx6tmQyfeiU4rYKFMCcFZ2Q3_SHA1jf%2BOoHThfg@mail.gmail.com> In-Reply-To: <CAG6CVpUgy8LhCkFZZ1D8BH%2BqJ_CDikvYNJrM9Nc0Ut5u=AVMHA@mail.gmail.com> References: <201806200108.w5K18sIR050132@repo.freebsd.org> <CAG6CVpV124ze%2BY6xX2ZFqbM%2B3hJNEJWR2qpnChpey=PmiW6qXg@mail.gmail.com> <96021.1529475664@kaos.jnpr.net> <CAJ5_RoBvwNH7-ZCd3LxtXg21TE49uX2y35Jwa6MM%2Bwn%2BX0_wUQ@mail.gmail.com> <17033.1529508519@kaos.jnpr.net> <CAG6CVpVwrWaDMcVRfgaOHagfPbnmULKe6R=GJiZi-reZYbZr8A@mail.gmail.com> <1529510299.24573.5.camel@freebsd.org> <CAG6CVpUgy8LhCkFZZ1D8BH%2BqJ_CDikvYNJrM9Nc0Ut5u=AVMHA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 20, 2018 at 9:30 AM, Conrad Meyer <cem@freebsd.org> wrote: > > Please look at the actual code size and layout of the sha1 support > module and tell me that is a burden for Juniper to maintain in their > downstream tree, rather than just getting angry about the suggestion > we don't introduce novel, insecurity cryptographic designs. > I have no problem removing the SHA1 and RIPEMD implementations. It's a minor change and very little code for others to have to maintain if needed. That was the intention of fingerprint module implementation, to try to make it easy to add/remote different algorithms. It could even potentially be done as a port, if people are keen to having to pre-load a module to get the support (I know that that's a bit of a grey area without a verified loader and secureboot or similar functionality to protect integrity.) I think some of the issue was this code has been looking for eyes to give a good look for over 2 years (even before the review was posted, it was available in my GitHub branch for at least 1 year prior, if not longer.) As for some of the other issues, note my comment in the review https://reviews.freebsd.org/D8554: "Note I have some updates that I have been working on to handle the meta-data store better in SMP environments. So there will be updates to these reviews, hopefully in the near future, time permitting." And I was working on those sets of changes, when work and family didn't steal away time. I was told that some discussion happened at BSDCan this year in such that veriexec should go in as-is so it would be there, which is why the commit happened (given the review was approved to land back in January.) I suppose I should have just kept with my original intention to fix the issues and update the review(s). Hopefully now it will mean it will get the right eyes on it. I don't believe I need to dig up all the e-mail threads and chat logs for IRC where I asked for help and was given pointers to folks to contact and we ended up here. It's a better use of everyone's time to just cool down, back things out, get new reviews updated and provide constructive feedback. So far this experience (I am not pointing at you here) has been a mixed set of constructive comments and outright flaming. The latter of which is never going to help get the right results and could be one of the reasons that a number of folks give up contributing to FreeBSD. -Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEm%2B2uVXQc7%2Bx6tmQyfeiU4rYKFMCcFZ2Q3_SHA1jf%2BOoHThfg>