Gearing up (again) for the next release: 2014.2.0.0

Brandon Allbery allbery.b at gmail.com
Tue Apr 8 15:37:12 UTC 2014


On Tue, Apr 8, 2014 at 11:29 AM, Gregory Collins <greg at gregorycollins.net>wrote:
>
> On Tue, Apr 8, 2014 at 5:10 PM, Michael Snoyman <michael at snoyman.com>wrote:
>
>> I know people have raised security concerns about using the tls package
>> due to lack of testing relative to OpenSSL, but I'm not sure if those
>> arguments are so valid given recent events[5].
>
>
> Yeah, I've been meaning to mention this issue -- I have definitely been
> among those in the past pushing for OpenSSL as the only sensible solution
> (conventional crypto wisdom is that you stick to tried and true,
> well-tested solutions) but I might change my tune on this. Sure, the
> Haskell tls library might potentially be vulnerable to unknown side
> chaining or timing attacks (and there is C code in there), but I don't see
> much chance of buffer overflows leading to secret key disclosure (!) coming
> out of our camp.
>

I would still want to see some kind of security review; the fact that
someone found a hole in the steel door doesn't justify replacing it with a
plastic screen door.

-- 
brandon s allbery kf8nh                               sine nomine associates
allbery.b at gmail.com                                  ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/libraries/attachments/20140408/b681fa04/attachment.html>


More information about the Libraries mailing list