Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150126044906.GJ13509@openwall.com>
Date: Mon, 26 Jan 2015 07:49:06 +0300
From: "(GalaxyMaster)" <galaxy@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: libnet

Solar,

On Mon, Jan 12, 2015 at 02:38:41AM +0300, Solar Designer wrote:
> What was the reason you chose to update our libnet from the latest
> official 1.1.3 (after which the project was abandoned upstream) to the
> unofficial or new maintainers' 1.2rc3?

It is from the new maintainer (Sam Roberts <vieuxtech@...il.com>) at
https://github.com/sam-github/libnet .  The reason I updated libnet was
the incompatibility with the new toolchain.  My options were as follows:

1. try to fix the old package with new toolchain;

2. update to 1.1.6, which is used by FC/RHEL but was released in 2012;

3. update to 1.2rc3, which is the current candidate for 1.2.

Option 1 required a lot of effort in comparison to other two. The
difference between 1.1.6 and 1.2rc3 was mostly cosmetic plus some memory
leaks fixes (I was skipping most of Win32 commits since it looked that
there was an effort to bring libnet up to date with building
environment on Win32 and OS X and there were many commits to address
these platforms).  Since an update from 1.1.3 to either 1.1.6 or 1.2rc3
was bringing approximately the same amount of changes I decided to go
for 1.2rc3 since it was a bit cleaner.

Moreover, libnet is required by a single package in Owl, which is
libnids.  libnids is also required by a single package - your scanlogd.
So, my logic was that given that the primary effort of the new
maintainer was to clean the code up (they did some Coverity tests
between 1.1.5 and 1.1.6), that the 1.1.6 version has been there for a
while in other distros with no patches, that the 1.2rc3 version is not
that different from 1.1.6, and that we have just one package actually
depending on libnet - I decided to go for 1.2rc3.

> I am concerned that we're getting non-reviewed code in.

I admit that I didn't closely review the code (I just went over the
commits from version 1.1.3 till 1.2rc3 and dove in on commits that were
catching my eye), however, I'm not sure that the effort of fully
reviewing this library is properly justified given that libnet is only
used by scanlogd via libnids.

-- 
(GM)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.