Recent blog entries for branden

14 May 2008 (updated 23 May 2008 at 10:37 UTC) »

Ben Laurie,

You wrote:

"It seems that the Debian maintainer did, indeed, mention his plan on openssl-dev. Openssl-dev is a list for people developing OpenSSL based software, not a list for discussing the development of OpenSSL itself. I don’t have the bandwidth to read it myself. If you want to communicate with the OpenSSL developers you need to use openssl-team@openssl.org."

Publishing contact information for the OpenSSL developers responsible for actually vetting patches to the OpenSSL source sounds like a great idea.

Of course, this address is prominently placed in the source archive so downstream people, and just plain interested users (such as professional cryptographers) will be aware of it, right? 

$ wget 
http://openssl.org/source/openssl-0.9.8g.tar.gz --2008-05-14 
01:56:41--  
http://openssl.org/source/openssl-0.9.8g.tar.gz
Resolving openssl.org... 195.30.6.166
Connecting to openssl.org|195.30.6.166|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3354792 (3.2M) [application/x-tar]
Saving to: `openssl-0.9.8g.tar.gz'


 100%[===================================================================================================================>] 
3,354,792    161K/s   in 16s


 2008-05-14 01:56:58 (200 KB/s) - `openssl-0.9.8g.tar.gz' 
saved [3354792/3354792]


 $ tar xfz openssl-0.9.8g.tar.gz
$ cd openssl-0.9.8g/
$ ls -1
CHANGES
CHANGES.SSLeay
ChangeLog.0_9_7-stable_not-in-head
ChangeLog.0_9_7-stable_not-in-head_FIPS
Configure
FAQ
INSTALL
INSTALL.DJGPP
INSTALL.MacOS
INSTALL.NW
INSTALL.OS2
INSTALL.VMS
INSTALL.W32
INSTALL.W64
INSTALL.WCE
LICENSE
MacOS
Makefile
Makefile.org
Makefile.shared
NEWS
Netware
PROBLEMS
README
README.ASN1
README.ENGINE
VMS
apps
bugs
certs
config
crypto
demos
doc
e_os.h
e_os2.h
engines
include
install.com
makevms.com
ms
openssl.doxy
openssl.spec
os2
perl
shlib
ssl
test
times
tools
util
$ grep -Fr openssl-team@openssl.org .
$ grep -Fr openssl-team .
$ grep team README
$ grep -i team README
$ grep -i team FAQ
You can check authenticity using pgp or gpg. You need the 
OpenSSL team
property rights, please consult a lawyer.  The OpenSSL team 
does not
$

Well, at least we'll be able to find this contact address in some reasonably conspicuous location on the OpenSSL website, right?

Let's try the front page. Hmm, nope.

How about the "Support" page, prominently placed on the site's navigation bar? Success! Er, kind of. We have openssl-announce, openssl-dev, openssl-cvs, and openssl-users. A pretty typical and idiomatic way of setting up mailing lists in Free and Open Source software projects. Kudos! Except, as you noted, none of these is actually the right list to contact the developers of OpenSSL. Well, I'm sure I'm the only person on earth whose intuition is challenged by that, so let's check some other places on the OpenSSL website wherein my howlingly erroneous assumption is put right.

Well, this is a patch we're talking about, so how about the Contribution page?

Hmm, perhaps:

Welcome to the User Contribution Area of OpenSSL. This area contains files maintained by the OpenSSL users and placed here by the OpenSSL team. They are provided AS IS without any kind of support or guaranty.

THIS AREA IS PROVIDED BY THE OPENSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

No, perhaps not.

The Source page is another dead-end; it shows me a lot of source I can retrieve, but does not inform me whom I can speak with about it. Undaunted, I press on.

Well, heck, how about the About page? Hey, this looks promising!

The OpenSSL Core and Development Team

The OpenSSL project is volunteer-driven. We do not have any specific requirement for volunteers other than a strong willingness to really contribute while following the projects goal. The OpenSSL project is formed by a development team, which consists of the current active developers and other major contributors. Additionally a subset of the developers form the OpenSSL core team which globally manages the OpenSSL project. Anyone wanting to join the development effort should subscribe to the developers mailing list openssl-dev@openssl.org, where all development efforts are coordinated.

But, silly me, of course I should utterly disregard the exclusive mention of openssl-dev@openssl.org in a section entitled "The OpenSSL Core and Development Team".

Several individual members are listed, yourself under "core team", and Ulf Möller under "development team". If Mr. Möller was a member of the "development team" at the time Debian developer Kurt Roeckx contacted the openssl-dev list, then I'm sure he should have known to disregard the advice he was given, right? (I'm sure you can correct me with appropriate fist-shaking indignation if your and Mr. Möller's status in the dev team was sufficiently different two years ago. You may, or may not, want to consult The Internet Archive's copy of the page as it existed on 1 and 2 May, 2006, before doing so.)

Well, I have one trick left up my sleeve—I can consult that device which has applied cluebats to addled heads for generations, the mighty FAQ! And do I find an answer?

Hallelujah!

3. How can I contact the OpenSSL developers? The README file describes how to submit bug reports and patches to OpenSSL. Information on the OpenSSL mailing lists is available from http://www.openssl.org.

(emphasis added)

By God, you've got me! Just read the README, for which a case-insensitive grep for "team" returns no matches! But never mind that, I can just go to www.openssl.org, find the...er...nonexistent...mention of mailing lists on the front page, stumble around until I find the aforementioned list of mailing lists, and, uh...don't find any mention of "openssl-team@openssl.org".

Hey, but you stand vindicated, because you shouted the correct contact address to the whole world in the 43rd comment to the 327th post on your blog (which must surely compare favorably to being posted on the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'.).

Your certificate of induction into the Good Communication Hall of Fame is forthcoming.

Which mailing list should I send it to?

29 Jul 2000 »

Obviously I have not been writing diary entries very frequently. Since last I posted here, I have moved to Indianapolis and taken a job with Progeny Linux.

Hacking activities: I am finally getting Debian packages of XFree86 4.0.1 off the ground. I largely have Progeny to thank for letting me spend time on this.

Nonhacking activities: Books? Well, I finished The Final Days quite a while back. Currently on the pile is Overcoming Law by U.S. Appeals Court Judge Richard Posner (the same guy Thomas Penfield Jackson appointed to mediate between the DoJ and Microsoft); that's the one I'm reading at present. Next come Cryptonomicon and something I probably should have read long ago, Dune. On the musical front, I finally bought the guitar amplifier I've been wanting for so long: a Marshall Valvestate VS102R. 100 watts. Woohoo! It's definitely no practice amp, being grossly overpowered for the apartment, but I learned a few years ago that while 35 watts may sound plenty loud in your house, it's not enough when you're jamming with a few other people (other amps, drums, etc.).

I seem to have difficulty talking about software in these diary entries. I guess the Debian lists absorb most of that, leaving precious little for Advogato. Anyway, those who care about what I've actually been hacking on can just go the X Strike Force and make themselves sick on Debian packaging minutae, and fun things like app-defaults switcheroos. I just love getting my hands grubby with xc/lib/Xt/IntrinsicI.h.

Until next time...

10 Apr 2000 »

Hacking activities

Well, the weekend didn't turn out as productive as I had hoped. Much of the time that I should have spent hacking on XFree86 4 was instead spent forking Debian's ALSA packages. The current package maintainer seems to have some staggeringly strange ideas about package relationships. Once these are finished, I'll make them available on my Debian webpage, put up a Packages.gz, and let users vote with their feet.

Not-so-hacking activities

Got through about eight chapters each of Tcl and the Tk Toolkit and The Final Days. Tcl's syntax is every bit as quirky as people warned me. Ousterhout is right, there really are just a few simple rules; I just have to learn to selectively switch off my mental Bourne (and, to a lesser extent, C) syntax filters. It is interesting to read about the Nixon presidency and contrast it with what is regarded as political malfeasance today. In Nixon's day, it was believed that if word of the Huston Plan got out, it would be terribly damaging to him politically. Today, Louis Freeh testifies before Congress, bald-facedly asserting the necessity of surveillance powers that were but a spook's masturbatory fantasy in 1974 -- and yet hysterical partisans try to take down the President for getting his pole waxed by a coat-tail riding fluffer. Things in this country are screwed. Maybe I'll have to stow away in Wichert's luggage next time we're at a Linux conference together.

How much do I owe the RIAA for this?

Popped a couple of CD's in the stereo, cranked it and the guitar amplifier up, and got in some practice today. Half a dozen Beatles tunes (Day Tripper, We Can Work It Out, Paperback Writer, Lady Madonna, Hey Jude, and Revolution) and Limelight by Rush. Two things really suck about the latter -- 1) trying to count through the guitar solo is unholy difficult, but also the only the way to play it right; 2) the clean channel during the chorus was a single-coil overdub, so I have exactly the space between two eighth notes to move the pickup switch *and* step on the distortion pedal to switch it to bypass, if I want to reproduce the original parts. Playing that clean part through the humbucker sounds awful to me. Oh well, I guess I'll just have to palm-mute the part instead. Did I mention how hard it is to count the solo?

Quaint thoughts

Frankly, I think people have the right to be disinterested in whatever discussion threads they choose, and don't deserve to have inflammatory rhetoric used against them. Connotating "quaint" as "brutally dismissive" -- very clever, reinforces that male stereotype of brutality. These are diary entries. People should take what they want and leave what they don't. They should also be left free to say why they're taking or leaving it. :) This is not a symposium. Diary entries should not be regarded as attempts at persuasive speech, though they may contain strongly opinionated remarks. IMO, the right way to write, and read, these entries is with a generous dollop of indifference to the interests of others. That said, may I should take my own advice and just start ignoring the person by whom I feel provoked. :)

Hmm, wish I had some more hacking talk, but today just wasn't a very hacking day...I caught enough of tonight's X-Files episode (written and directed by Gillian Anderson) to note that it seemed primarily to be showcase for the Moby album, and some really shallow introspective monologues. So I got myself an antidote to both; popped in Liquid Tension Experiment 2 and indulged myself in 75 minutes of anti-minimalistic instrumentals. :) (Actually, the final half-hour is a relatively laidback.)

8 Apr 2000 »

Haven't made a diary entry in a few days.

Bought 4 books last night: Ousterhout's Tcl/Tk book -- old, but seems worth knowing; Lutz & Ascher's Learning Python -- I normally avoid O'Reilly where possible (it often isn't), but I will need to be getting my hands with sticky GUI prototyping languages for work; Erik Larson's Isaac's Storm -- apparently it's kind of a cliché to buy this these days, but hey, I heard Dick Estell reading it on NPR and it sounded good; Woodward & Bernstein, The Final Days -- I read All the President's Men last year so this seems apropos. Almost picked up Zinn's People's History of the United States but put it down after a cursory reading of some passages. When you repudiate both the Left and the Right, it sure is hard to find a political perspective that isn't aggravating. History simply is, we need neither apologize for it nor glorify it (or the people in it). Anyway, I needed some new books because I was falling back on my old standbys for bedtime reading material, The GNU C Library Reference Manual and The Columbia History of the World. Hopefully my fellow Advogatans have better things to do than laugh about my reading habits for the next few days in their own diary entries-cum-discussion threads.

I'm actually up somewhat early on a Saturday morning so I'll be spending the day beating on XFree86 4.0 as hard as I can. David Dawes quietly put out the 4.0a development release...a 1.6 megabyte diff! Some of the fixes are really important; I might have to make binary-only .deb releases until 4.0.1 is released. There are 94 bugfixes and enhancements identified in the changelog. Anyway, to say more would probably break my XFree86 development NDA, so I should just shut up and get back to work...

I have only two thread-type remarks: first, watching onionskin feminists and male chauvinist pigs fight is just as boring here as it is anyplace else, the Blys and Faludis should just excuse themselves and go scream at each other on USENET (though, to be fair, a glance at the bookshelves last night reveals that both Naomi Wolf and Susan Faludi realized at some point after 1996 that men are people, too -- I guess if you can't beat Paglia, join her, eh?); and second, it's good to see Joey Hess finally realizing just how evil Slang is as a screen library. Go with ncurses, my man, and learn the blessed way...

4 Apr 2000 »

I just uploaded Debian packages of version 4.0 of X...trs. :) Tim Mann just released the latest version of his cool TRS-80 emulator a few days ago. Packages that compile in three minutes are nice.

Anyway, back to XFree86 4.0 .debs...when they are ready they will appear at the usual place.

3 Apr 2000 »

A few of us Debian IRC guys (Jason Gunthorpe, Manoj Srivastava) hopped over here for the first time tonight and incestously cert'ed each other. Good to see that Joey Hess has master status; he needs to be disabused of his false modesty. :)

An interesting project, let's see what happens with it.

Okay, here's some diary-like ephemeralia: currently listening to Dream Theater's latest, Scenes from a Memory.

Boy, I really wish Advogato was more HTML 4'ish instead of this nasty 3.2 stuff. :)

Finally, I'm not sure that the TT tags are really working.

Nope, they're not...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!