Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150627135947.GA2152@gremlin.ru>
Date: Sat, 27 Jun 2015 16:59:47 +0300
From: gremlin@...mlin.ru
To: owl-dev@...ts.openwall.com
Subject: Re: OpenSSL

On 2015-06-11 21:54:39 +0300, Solar Designer wrote:

 > It looks like our options are:

Only one:

 > 4. Ignore Red Hat's patches, just package upstream OpenSSL's
 > code with our patches.

We may use RH patches, but aren't required to.

 > Drawback: then we're not justified to keep Red Hat's soname,
 > so we break binary compatibility with RHEL.

Actually, we've lost it several years ago when we stuck with old
glibc-2.3 - so we can safely drop this compatibility notice.

>From my experience (2 all: in 5 recent years, I was primarily
working as a system architect for HA+HL systems), when people
need RHEL compatibility, they take CentOS and nothing else.

 > 6. Give up on Owl.

Not an option at all.

 > I feel that deciding on this should be part of a bigger
 > decision on where Owl is heading.

I see at least one not-yet-filled area: virtualization host for
both VPSes (OpenVZ) and VDSes (KVM).

Also it's really good as a base for guest system templates for
some common services like mail servers (I use dovecot and exim
running in one container), web servers (separate containers for
nginx frontend and various backends), database servers (I use
either MongoDB, MySQL or PosgreSQL), VPN servers (OpenVPN in a
KVM-based VDS), etc.

And yes - I've tried other solutions, but they are either ugly
or expensive.

 > Should it still maintain any RHEL compatibility?

No. There's none in recent years, and that never was a problem.

 > If not, then is there sufficient reason for us to use RPM

Yes.

 > and to continue building Owl as a Linux distro?

Yes. There really is a strong requirement for a small and secure,
but also functional system.

The main problem with Owl is the lack of out-of-box usability.
Well, 10 years ago it had some sort of, but now it can perform
only two functions: VPS host (without live migration support)
and DNS server (requires manual configuring other than simply
adding zones).

 > I mean, there's lots of crap not only in OpenSSL and RHEL,
 > but also in RPM

Alas, all other options are much worse.

 > and in the Linux kernel, but we chose those for compatibility.
 > So if we start to drop compatibility, then how far do we go?

80% of compatibility may achieved with only 20% effort.

 > And does our project still make sense then?

Obviously, yes.

 > Previously, we'd choose option 2 from the list above, but at
 > this time I'm not sure. I'd like to minimize the effort spent
 > on maintenance, and to direct more effort to doing new and
 > longer term beneficial things.

Now our choice could be only #4.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.