prep for 1.0.1

Eric S. Raymond esr at thyrsus.com
Thu Mar 1 11:46:24 UTC 2018


Hal Murray <hmurray at megapathdsl.net>:
> 
> devel at ntpsec.org said:
> > I see no real blockers.  We've got a bunch of little nits and documentation
> > issues.  I might try to push a fix for #446. 
> 
> There is no problem unless you setup your keys file to use an algorithm with 
> a big digest.
> 
> The short term clean fix is to reject algorithms with too-big digests.  It's 
> a few lines of code.  You can copy it from attic/digest-find.c

Would you do this, please?  You obviously know the code and the context.

> The simpler fix, 2 lines in 2 places, is to truncate the length at the place where it is used.  That will make bigger/better digests "work", but not the way you might expect and I don't want to document that tangle and we probably don't want to have anything to do with not-as-secure-as-you-expect.

Bletch.  No, we don't.

> The right fix is to actually support longer digests.  I think that requires getting an extension code from IANA.  I'd be willing to delay a release if we want to do that.  I'd expect days or weeks rather than months, but it might get tangled up with IETF work.  (There is current discussion in this area.)

It's Mark's call whether we hold the release, but what I will advise is that
we put this on the task list for the next one.  Please open a tracker request
for enhancement and explain the IANA connection.

Classic had some CVEs out on 27 Feb.  Yesterday I merged the one fix we
appear to need; Daniel thinks we plugged the holes leading to the other
five in the protocol refactor.

I plan to fix some documentation nits before we ship.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.




More information about the devel mailing list