From jerry at opendnssec.org Fri May 2 05:26:32 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Fri, 02 May 2014 07:26:32 +0200 Subject: [Opendnssec-develop] Jenkins JUnit Test Results problem Message-ID: <1399008392.31605.9.camel@what> Hi, So about all the test jobs are failing and its because of a change in the latest Jenkins build. I will try and revert one build later today to see if can run that until its fixed. https://issues.jenkins-ci.org/browse/JENKINS-22798 -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 643 bytes Desc: This is a digitally signed message part URL: From jerry at opendnssec.org Fri May 2 12:24:16 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Fri, 02 May 2014 14:24:16 +0200 Subject: [Opendnssec-develop] Re: Jenkins JUnit Test Results problem In-Reply-To: <1399008392.31605.9.camel@what> References: <1399008392.31605.9.camel@what> Message-ID: <1399033456.20823.1.camel@mine> On fre, 2014-05-02 at 07:26 +0200, Jerry Lundstr?m wrote: > So about all the test jobs are failing and its because of a change in > the latest Jenkins build. I will try and revert one build later today to > see if can run that until its fixed. > > https://issues.jenkins-ci.org/browse/JENKINS-22798 Version reverted and test jobs are now successful. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From sara at sinodun.com Tue May 6 08:40:18 2014 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 6 May 2014 09:40:18 +0100 Subject: [Opendnssec-develop] Fwd: [Opendnssec-maintainers] OpenDNSSEC 1.3.17rc1 release candidate References: <834A8E83-905B-40E8-A4DC-5D1E7FC97ED9@sinodun.com> Message-ID: <452321E2-3999-46D0-B7A7-F2AD3ABBD9BC@sinodun.com> Hi All, I?m not aware of any issues with 1.3.17rc1 so I would like to go ahead with the full release today. Jerry - please create the tarball when convenient. Sara. Begin forwarded message: > From: Sara Dickinson > Subject: [Opendnssec-maintainers] OpenDNSSEC 1.3.17rc1 release candidate > Date: 28 April 2014 15:28:38 BST > To: opendnssec-maintainers at lists.opendnssec.org > Cc: Opd Dev > > All, > > Version 1.3.17rc1 of OpenDNSSEC is now available. This is a release candidate for testing purposes: > > > OpenDNSSEC 1.3.17rc1 > ??????????? > > Updates: > * SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public key directly if SkipPublicKey is used [OPENDNSSEC-575]. > * Signer Engine: log serial of signed zone in STATS line. > * OPENDNSSEC-550: Signer Engine: Put NSEC3 records on empty non-terminals derived from unsigned delegations (be compatible with servers that are incompatible with RFC 5155 errata 3441). > * OPENDNSSEC-569: Build compatibility with SoftHSMv2. > * Signer Engine: Examine unsigned zone checks for SOA RRset existence. > * OPENDNSSEC-591: ods-ksmutil: Extend 'key list' command with options to filter on key type and state. This allows keys in the GENERATE and DEAD state to be output. > > Bugfixes: > * SUPPORT-116: ods-ksmutil key import. Date validation fails on certain dates [OPENDNSSEC-589]. > * OPENDNSSEC-481: libhsm: Fix an off-by-one length check error. > * OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects. > * OPENDNSSEC-515: Signer Engine: Don't replace tabs in RRs with whitespace. > * OPENDNSSEC-538: libhsm: Possible memory corruption in hsm_get_slot_id. > * Signer Engine: Fix a race condition when stopping daemon. > * OPENDNSSEC-586: enforcer & ods-ksmutil: Improve logging on key creation and alloctaion. > * OPENDNSSEC-588: ods-ksmutil: Exported value of in 'policy export' output could be wrong on MySQL. > > Download: > * https://dist.opendnssec.org/source/testing/opendnssec-1.3.17rc1.tar.gz > * https://dist.opendnssec.org/source/testing/opendnssec-1.3.17rc1.tar.gz.sig > * Checksum SHA1: 89f7c3b734080ef0472bcf39e11801b20d305e8d > * Checksum SHA256: 0a38bd01a4aee2328b1129621c979eef72e6ed8fce6f39da6f53b8485eb658cd > > > A full OpenDNSSEC 1.3.17 release is planned for Tuesday 6th May > > > //OpenDNSSEC team > > _______________________________________________ > Opendnssec-maintainers mailing list > Opendnssec-maintainers at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-maintainers From jerry at opendnssec.org Tue May 6 10:41:44 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Tue, 06 May 2014 12:41:44 +0200 Subject: [Opendnssec-develop] Fwd: [Opendnssec-maintainers] OpenDNSSEC 1.3.17rc1 release candidate In-Reply-To: <452321E2-3999-46D0-B7A7-F2AD3ABBD9BC@sinodun.com> References: <834A8E83-905B-40E8-A4DC-5D1E7FC97ED9@sinodun.com> <452321E2-3999-46D0-B7A7-F2AD3ABBD9BC@sinodun.com> Message-ID: <1399372904.3266.0.camel@mine> https://dist.opendnssec.org/source/opendnssec-1.3.17.tar.gz https://dist.opendnssec.org/source/opendnssec-1.3.17.tar.gz.sig SHA1 732ffcbb3b7ca39e35b053dc1d4e516a9b9bbaa2 SHA256 9f0dcfb53a3e10255b2d85e6a30663548eca1ec2e900b7cd5db9329f1710e323 -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From sara at sinodun.com Tue May 6 12:44:38 2014 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 6 May 2014 13:44:38 +0100 Subject: [Opendnssec-develop] OpenDNSSEC 1.3.17 Message-ID: <53BE3F7B-DB29-46A1-B5B4-C8F341A6BBD2@sinodun.com> All, Version 1.3.17 of OpenDNSSEC has now been released: Updates: * SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public key directly if SkipPublicKey is used [OPENDNSSEC-575]. * Signer Engine: log serial of signed zone in STATS line. * OPENDNSSEC-550: Signer Engine: Put NSEC3 records on empty non-terminals derived from unsigned delegations (be compatible with servers that are incompatible with RFC 5155 errata 3441). * OPENDNSSEC-569: Build compatibility with SoftHSMv2. * Signer Engine: Examine unsigned zone checks for SOA RRset existence. * OPENDNSSEC-591: ods-ksmutil: Extend 'key list' command with options to filter on key type and state. This allows keys in the GENERATE and DEAD state to be output. Bugfixes: * SUPPORT-116: ods-ksmutil key import. Date validation fails on certain dates [OPENDNSSEC-589]. * OPENDNSSEC-481: libhsm: Fix an off-by-one length check error. * OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects. * OPENDNSSEC-515: Signer Engine: Don't replace tabs in RRs with whitespace. * OPENDNSSEC-538: libhsm: Possible memory corruption in hsm_get_slot_id. * Signer Engine: Fix a race condition when stopping daemon. * OPENDNSSEC-586: enforcer & ods-ksmutil: Improve logging on key creation and alloctaion. * OPENDNSSEC-588: ods-ksmutil: Exported value of in 'policy export' output could be wrong on MySQL. Documentation: * http://wiki.opendnssec.org/display/DOCS13 Download: * http://dist.opendnssec.org/source/opendnssec-1.3.17.tar.gz * http://dist.opendnssec.org/source/opendnssec-1.3.17.tar.gz.sig * Checksum SHA1: 732ffcbb3b7ca39e35b053dc1d4e516a9b9bbaa2 * Checksum SHA256: 9f0dcfb53a3e10255b2d85e6a30663548eca1ec2e900b7cd5db9329f1710e323 //OpenDNSSEC team From jerry at opendnssec.org Wed May 7 13:07:11 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Wed, 07 May 2014 15:07:11 +0200 Subject: [Opendnssec-develop] Git tips and tricks Message-ID: <1399468031.19352.29.camel@mine> Make the git pager display tabs with a length of 4: git config --global core.pager 'less -x1,5' -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From jerry at opendnssec.org Thu May 8 09:22:41 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Thu, 08 May 2014 11:22:41 +0200 Subject: [Opendnssec-develop] Re: Jenkins JUnit Test Results problem In-Reply-To: <1399033456.20823.1.camel@mine> References: <1399008392.31605.9.camel@what> <1399033456.20823.1.camel@mine> Message-ID: <1399540961.4660.2.camel@mine> https://issues.jenkins-ci.org/browse/JENKINS-22798 Looks like they fixed this, I will test it out so Jenkins might not work for a while. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From jerry at opendnssec.org Thu May 8 11:01:13 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Thu, 08 May 2014 13:01:13 +0200 Subject: [Opendnssec-develop] Re: Jenkins JUnit Test Results problem In-Reply-To: <1399540961.4660.2.camel@mine> References: <1399008392.31605.9.camel@what> <1399033456.20823.1.camel@mine> <1399540961.4660.2.camel@mine> Message-ID: <1399546873.4660.3.camel@mine> On tor, 2014-05-08 at 11:22 +0200, Jerry Lundstr?m wrote: > https://issues.jenkins-ci.org/browse/JENKINS-22798 > > Looks like they fixed this, I will test it out so Jenkins might not work > for a while. Matrix project has now been updated and seems to be working with the latest Jenkins version. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From rickard at opendnssec.org Thu May 15 12:47:48 2014 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 15 May 2014 14:47:48 +0200 Subject: [Opendnssec-develop] Release SoftHSM 1.3.7 Message-ID: Hi I noticed that SoftHSM has some unreleased bugfixes in the develop branch. I believe you can go ahead with a release of version 1.3.7. // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Thu May 15 14:13:57 2014 From: jerry at opendnssec.org (=?UTF-8?Q?Jerry_Lundstr=C3=B6m?=) Date: Thu, 15 May 2014 16:13:57 +0200 Subject: [Opendnssec-develop] Release SoftHSM 1.3.7 In-Reply-To: References: Message-ID: <583109260376255851@unknownmsgid> I'm at RIPE68 right now, can start the process next week. Ok Sara? -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ On 15 maj 2014, at 14:47, Rickard Bellgrim wrote: Hi I noticed that SoftHSM has some unreleased bugfixes in the develop branch. I believe you can go ahead with a release of version 1.3.7. // Rickard _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From sara at sinodun.com Thu May 15 14:30:27 2014 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 15 May 2014 15:30:27 +0100 Subject: [Opendnssec-develop] Release SoftHSM 1.3.7 In-Reply-To: <583109260376255851@unknownmsgid> References: <583109260376255851@unknownmsgid> Message-ID: <03AB1A35-A4E7-47E9-8899-43709913D53F@sinodun.com> Yes - I?m busy until next week too so that is fine by me. Sara. On 15 May 2014, at 15:13, Jerry Lundstr?m wrote: > I'm at RIPE68 right now, can start the process next week. Ok Sara? > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > > On 15 maj 2014, at 14:47, Rickard Bellgrim wrote: > >> Hi >> >> I noticed that SoftHSM has some unreleased bugfixes in the develop branch. I believe you can go ahead with a release of version 1.3.7. >> >> // Rickard >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From jerry at opendnssec.org Mon May 19 07:59:40 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Mon, 19 May 2014 09:59:40 +0200 Subject: [Opendnssec-develop] Release SoftHSM 1.3.7 In-Reply-To: <03AB1A35-A4E7-47E9-8899-43709913D53F@sinodun.com> References: <583109260376255851@unknownmsgid> <03AB1A35-A4E7-47E9-8899-43709913D53F@sinodun.com> Message-ID: <1400486380.2950.1.camel@mine> https://dist.opendnssec.org/source/testing/softhsm-1.3.7rc1.tar.gz https://dist.opendnssec.org/source/testing/softhsm-1.3.7rc1.tar.gz.sig SHA1 61ea9cb52d2abad84053e77efbebd853963b1c89 SHA256 c28049f483a211294721bae27a2efa7f17a7495d6f2f8a6a3fe54a4c72f1c5e6 -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From sara at sinodun.com Mon May 19 18:49:03 2014 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 19 May 2014 19:49:03 +0100 Subject: [Opendnssec-develop] RE: Team meeting - Tuesday 20 May @ 14:00 CEST Message-ID: Hi All, We have a team meeting scheduled for tomorrow Date: Tuesday 20 May 2014 Time: 14:00-15:00 CEST, 13:00-14:00 BST, 20:00-21:00 CST, 12:00-13:00 UTC Method: Teamspeak (https://wiki.opendnssec.org/display/OpenDNSSEC/Conference+call+details) Agenda: https://wiki.opendnssec.org/display/OpenDNSSEC/2014-05-20+Agenda Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Tue May 20 12:36:55 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Tue, 20 May 2014 14:36:55 +0200 Subject: [Opendnssec-develop] libhsm: parts renamed during 2.0 work Message-ID: <1400589415.25828.21.camel@mine> Hi, So parts of libhsm has been renamed during the work with 2.0 since it was colliding name space wise with the new database objects. The commit is here: https://github.com/jelu/opendnssec/commit/194f02c7d65d16d91ffae964e5d6d00ef6722420 -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From matthijs at nlnetlabs.nl Tue May 20 13:06:00 2014 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 20 May 2014 15:06:00 +0200 Subject: [Opendnssec-develop] libhsm: parts renamed during 2.0 work In-Reply-To: <1400589415.25828.21.camel@mine> References: <1400589415.25828.21.camel@mine> Message-ID: <537B5338.6010205@nlnetlabs.nl> Hi Jerry, I don't understand why you are changing the libhsm api because you created a name collision yourself in the database model. Could you please just rename your database model names instead of changing the api? Changing the libhsm api breaks the signer. Best regards, Matthijs On 05/20/2014 02:36 PM, Jerry Lundstr?m wrote: > Hi, > > So parts of libhsm has been renamed during the work with 2.0 since it > was colliding name space wise with the new database objects. > > The commit is here: > https://github.com/jelu/opendnssec/commit/194f02c7d65d16d91ffae964e5d6d00ef6722420 > > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > From rick at openfortress.nl Tue May 20 13:11:05 2014 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 20 May 2014 15:11:05 +0200 Subject: [Opendnssec-develop] Re: libhsm: parts renamed during 2.0 work In-Reply-To: <1400589415.25828.21.camel@mine> References: <1400589415.25828.21.camel@mine> Message-ID: Hi, > So parts of libhsm has been renamed during the work with 2.0 since it > was colliding name space wise with the new database objects. It has only been done for the clashing names? But that means that some identifiers start with hsm_ and others with libhsm_ ? that is confusing. > The commit is here: > https://github.com/jelu/opendnssec/commit/194f02c7d65d16d91ffae964e5d6d00ef6722420 I would suggest either applying the patch to all libhsm identifiers or, as Matthijs also requested, do this to the database backend. Please note that I am not planning to move the patches to the 2.0 product ? that is probably too far off to permit proper testing by me. -Rick -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 204 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Tue May 20 13:13:13 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Tue, 20 May 2014 15:13:13 +0200 Subject: [Opendnssec-develop] libhsm: parts renamed during 2.0 work In-Reply-To: <537B5338.6010205@nlnetlabs.nl> References: <1400589415.25828.21.camel@mine> <537B5338.6010205@nlnetlabs.nl> Message-ID: <1400591593.25828.24.camel@mine> Hi Matthijs, On tis, 2014-05-20 at 15:06 +0200, Matthijs Mekking wrote: > I don't understand why you are changing the libhsm api because you > created a name collision yourself in the database model. Could you > please just rename your database model names instead of changing the api? The name hsm_key describes it perfectly, because its a database object with the HSM key content. It was called HSM key in protobuf also but it was C++ stil so it was HsmKey. I would like to have the database object called hsm_key and the libhsm stuff prefixed with libhsm because that clearly separates the functionality. > Changing the libhsm api breaks the signer. No, its been sed'ed everywhere. Everything compiles and works. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From jerry at opendnssec.org Tue May 20 13:15:47 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Tue, 20 May 2014 15:15:47 +0200 Subject: [Opendnssec-develop] Re: libhsm: parts renamed during 2.0 work In-Reply-To: References: <1400589415.25828.21.camel@mine> Message-ID: <1400591747.25828.26.camel@mine> Hi Rick, On tis, 2014-05-20 at 15:11 +0200, Rick van Rein wrote: > > So parts of libhsm has been renamed during the work with 2.0 since it > > was colliding name space wise with the new database objects. > > It has only been done for the clashing names? Yes, because I just had to get it working and put the discussion (this one) further down the line. > But that means that some identifiers start with hsm_ and others with libhsm_ ? that is confusing. I know and I would like to change all. > > The commit is here: > > https://github.com/jelu/opendnssec/commit/194f02c7d65d16d91ffae964e5d6d00ef6722420 > > I would suggest either applying the patch to all libhsm identifiers or, as Matthijs also requested, do this to the database backend. No Matthijs suggested to change the database object name. I want to change the libhsm names. > Please note that I am not planning to move the patches to the 2.0 product ? that is probably too far off to permit proper testing by me. Ok, then you do not have to worry about this :) -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From rick at openfortress.nl Tue May 20 13:19:30 2014 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 20 May 2014 15:19:30 +0200 Subject: [Opendnssec-develop] libhsm: parts renamed during 2.0 work In-Reply-To: <1400591593.25828.24.camel@mine> References: <1400589415.25828.21.camel@mine> <537B5338.6010205@nlnetlabs.nl> <1400591593.25828.24.camel@mine> Message-ID: <5F1A5C7B-9A69-4D3F-BBC1-2D43995D13AC@openfortress.nl> Hi, > The name hsm_key describes it perfectly, because its a database object > with the HSM key content. It was called HSM key in protobuf also but it > was C++ stil so it was HsmKey. So the protobuf-originated code is the new one. Changing that is less heavy on the project, esp. regarding porting of patches. > I would like to have the database object called hsm_key and the libhsm > stuff prefixed with libhsm because that clearly separates the > functionality. I rather disagree. The prefix ?libhsm_? instead of ?hsm_? focusses on the minor detail of it being a library, whereas the point of the ?hsm_? prefix is to focus on the idea of having an API to the HSM. These two reasons means that I vote for Matthijs? proposal. -Rick -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 204 bytes Desc: Message signed with OpenPGP using GPGMail URL: From matthijs at nlnetlabs.nl Tue May 20 13:20:01 2014 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 20 May 2014 15:20:01 +0200 Subject: [Opendnssec-develop] Re: libhsm: parts renamed during 2.0 work In-Reply-To: <1400591747.25828.26.camel@mine> References: <1400589415.25828.21.camel@mine> <1400591747.25828.26.camel@mine> Message-ID: <537B5681.5040806@nlnetlabs.nl> On 05/20/2014 03:15 PM, Jerry Lundstr?m wrote: > Hi Rick, > > On tis, 2014-05-20 at 15:11 +0200, Rick van Rein wrote: >>> So parts of libhsm has been renamed during the work with 2.0 since it >>> was colliding name space wise with the new database objects. >> >> It has only been done for the clashing names? > > Yes, because I just had to get it working and put the discussion (this > one) further down the line. > >> But that means that some identifiers start with hsm_ and others with libhsm_ ? that is confusing. > > I know and I would like to change all. > >>> The commit is here: >>> https://github.com/jelu/opendnssec/commit/194f02c7d65d16d91ffae964e5d6d00ef6722420 >> >> I would suggest either applying the patch to all libhsm identifiers or, as Matthijs also requested, do this to the database backend. > > No Matthijs suggested to change the database object name. I want to > change the libhsm names. I am fine with prepending everything libhsm_ too. Just I would like to see the consistent prepending remain: Currently all libhsm calls are prepended with hsm_. Your change makes an inconsistent prepending. > >> Please note that I am not planning to move the patches to the 2.0 product ? that is probably too far off to permit proper testing by me. > > Ok, then you do not have to worry about this :) > > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > From jerry at opendnssec.org Tue May 20 14:04:31 2014 From: jerry at opendnssec.org (=?UTF-8?Q?Jerry_Lundstr=C3=B6m?=) Date: Tue, 20 May 2014 16:04:31 +0200 Subject: [Opendnssec-develop] Re: libhsm: parts renamed during 2.0 work In-Reply-To: <1794483118.7340.1400592105316.JavaMail.mobile-sync@vecro17> References: <1400589415.25828.21.camel@mine> <1400591747.25828.26.camel@mine> <1794483118.7340.1400592105316.JavaMail.mobile-sync@vecro17> Message-ID: <-6299978508507839608@unknownmsgid> Hi, On 20 maj 2014, at 15:20, Matthijs Mekking wrote: I am fine with prepending everything libhsm_ too. Just I would like to see the consistent prepending remain: Currently all libhsm calls are prepended with hsm_. Your change makes an inconsistent prepending. The current change is not complete. My proposal is to change all libhsm functions and types to prefix libhsm_ . With the addition of database object there is a reason for the naming of them and it is to be as clear as possible about the functionality from viewing the name. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at nlnetlabs.nl Tue May 20 14:07:14 2014 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 20 May 2014 16:07:14 +0200 Subject: [Opendnssec-develop] Re: libhsm: parts renamed during 2.0 work In-Reply-To: <-6299978508507839608@unknownmsgid> References: <1400589415.25828.21.camel@mine> <1400591747.25828.26.camel@mine> <1794483118.7340.1400592105316.JavaMail.mobile-sync@vecro17> <-6299978508507839608@unknownmsgid> Message-ID: <537B6192.7020807@nlnetlabs.nl> On 05/20/2014 04:04 PM, Jerry Lundstr?m wrote: > Hi, > > On 20 maj 2014, at 15:20, Matthijs Mekking > wrote: > >> I am fine with prepending everything libhsm_ too. Just I would like to >> see the consistent prepending remain: Currently all libhsm calls are >> prepended with hsm_. Your change makes an inconsistent prepending. > > The current change is not complete. Ok. > My proposal is to change all libhsm functions and types to prefix libhsm_ . I would be fine with that. Thanks. > With the addition of database object there is a reason for the naming of > them and it is to be as clear as possible about the functionality from > viewing the name. > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ From jerry at opendnssec.org Tue May 20 14:07:18 2014 From: jerry at opendnssec.org (=?UTF-8?Q?Jerry_Lundstr=C3=B6m?=) Date: Tue, 20 May 2014 16:07:18 +0200 Subject: [Opendnssec-develop] libhsm: parts renamed during 2.0 work In-Reply-To: <5F1A5C7B-9A69-4D3F-BBC1-2D43995D13AC@openfortress.nl> References: <1400589415.25828.21.camel@mine> <537B5338.6010205@nlnetlabs.nl> <1400591593.25828.24.camel@mine> <5F1A5C7B-9A69-4D3F-BBC1-2D43995D13AC@openfortress.nl> Message-ID: <3931109817016441502@unknownmsgid> Hi, On 20 maj 2014, at 15:19, Rick van Rein wrote: So the protobuf-originated code is the new one. Changing that is less heavy on the project, esp. regarding porting of patches. We are working on removing the protobuf code, everything will be in C now. And do not worry about patches, I can handle the porting to 2.0 (patches can be sed'ed also). -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Tue May 20 14:20:50 2014 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 20 May 2014 16:20:50 +0200 Subject: [Opendnssec-develop] HSMs use UTF-8 characters Message-ID: Hi Matthijs and Sion, I am working on the libhsm code, auditing it. One thing I am running into is character sets. PKCS #11 uses RFC 2279 strings (older UTF-8 style) and the other code assumes ASCII. There are two ways out of this: - only support ASCII ? thus constraining token labels and PIN codes - pass UTF-8 codes to the libhsm-user as wide characters When we only wish to support ASCII, we should reject other content, or remove character codes > 0x80 because we do not interpret them along the lines of RFC 2279. When we decide to support rfc2279, we should use the facilities in C to represent strings in Unicode, using wchar_t. This type is supported with a lot of compiler functions, including printf (?%ls?, my_wide_string). It is defined in a compiler-dependent manner, but must be able to carry all compiler-supported locales. We cannot ignore UTF-8 like we have to date. There are a few openings for potential abuse, possibly in token labels or entered PINs: * Describe the ?\0? character in an UTF-8 code of more than one byte, none of which is 0x00, and cause confusion elsewhere * Place a more-bytes-to-follow code before the ?\0? (ASCII NUL) that ends a C-string ? except when using a (bad but imagineable) UTF-8 interpreter * Strings may be provided under RFC 2279 and interpreted under RFC 3629 or ASCII (which are both stricter, a subset of RFC 2279) I think we should continue to accept the UTF-8 coding of PKCS #11 but then communicate to libhsm using programs with wchar_t instead of char, and change the routines that print it to %ls instead of %s, and perhaps a few other changes are needed to integrate with the locale. Does this sound like the right choice? Cheers, -Rick From Roland.vanRijswijk at surfnet.nl Tue May 20 14:28:16 2014 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Tue, 20 May 2014 16:28:16 +0200 Subject: [Opendnssec-develop] Maintenance on JIRA, Confluence and Crowd Message-ID: <537B6680.6010303@surfnet.nl> Hi all, We will be performing maintenance on JIRA (issues.opendnssec.org), Confluence (wiki.opendnssec.org) and the SSO system Crowd tomorrow. The work will start in the morning around 8:30h CEST and will run latest until the end of the day, 17:30h CEST. We are planning to migrate to the new server for these services tomorrow, which means that we will freeze content at some point in time. I will announce this to the list. If all goes well, we'll be able to use a shiny new server with the latest and greatest versions of JIRA and Confluence. Cheers, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4412 bytes Desc: S/MIME Cryptographic Signature URL: From jerry at opendnssec.org Tue May 20 14:41:09 2014 From: jerry at opendnssec.org (=?UTF-8?Q?Jerry_Lundstr=C3=B6m?=) Date: Tue, 20 May 2014 16:41:09 +0200 Subject: [Opendnssec-develop] Maintenance on JIRA, Confluence and Crowd In-Reply-To: <537B6680.6010303@surfnet.nl> References: <537B6680.6010303@surfnet.nl> Message-ID: <-4770461162142998845@unknownmsgid> On 20 maj 2014, at 16:28, Roland van Rijswijk - Deij < Roland.vanRijswijk at surfnet.nl> wrote: shiny new server with the latest and greatest versions of JIRA and Confluence. YAY! :) -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sara at sinodun.com Tue May 20 16:06:50 2014 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 20 May 2014 17:06:50 +0100 Subject: [Opendnssec-develop] Team meeting - Tuesday 20 May @ 14:00 CEST In-Reply-To: References: Message-ID: Hi All, Minutes of the meeting today are available online for review: https://wiki.opendnssec.org/display/OpenDNSSEC/2014-05-20+Minutes I?m afraid I can?t do Wed 11th June after all(!) so I would like to propose Friday 13th @ 14:00 CEST instead: Date: Friday 13 June 2014 Time: 14:00-15:00 CEST, 13:00-14:00 BST, 20:00-21:00 CST, 12:00-13:00 UTC -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenDNSSEC meeting.ics Type: text/calendar Size: 712 bytes Desc: not available URL: -------------- next part -------------- Sara. On 19 May 2014, at 19:49, Sara Dickinson wrote: > Hi All, > > We have a team meeting scheduled for tomorrow > > Date: Tuesday 20 May 2014 > Time: 14:00-15:00 CEST, 13:00-14:00 BST, 20:00-21:00 CST, 12:00-13:00 UTC > Method: Teamspeak (https://wiki.opendnssec.org/display/OpenDNSSEC/Conference+call+details) > Agenda: https://wiki.opendnssec.org/display/OpenDNSSEC/2014-05-20+Agenda > > Sara. > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From sara at sinodun.com Tue May 20 16:17:14 2014 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 20 May 2014 17:17:14 +0100 Subject: [Opendnssec-develop] SoftHSM 1.3.7rc1 release candidate Message-ID: All, Version 1.3.7rc1 of SoftHSM is now available. This is a release candidate for testing purposes: SoftHSM 1.3.7rc1 ------------------------ Bugfixes: * SOFTHSM-94: umask affecting the calling application. * SOFTHSM-96: Check if Botan has already been initialised. Download: * https://dist.opendnssec.org/source/testing/softhsm-1.3.7rc1.tar.gz * https://dist.opendnssec.org/source/testing/softhsm-1.3.7rc1.tar.gz.sig * Checksum SHA1: 61ea9cb52d2abad84053e77efbebd853963b1c89 * Checksum SHA256: c28049f483a211294721bae27a2efa7f17a7495d6f2f8a6a3fe54a4c72f1c5e6 A full SoftHSM 1.3.7 release is planned for Tuesday 27th May. //OpenDNSSEC team From sara at sinodun.com Tue May 20 16:35:45 2014 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 20 May 2014 17:35:45 +0100 Subject: [Opendnssec-develop] libhsm: parts renamed during 2.0 work In-Reply-To: <5F1A5C7B-9A69-4D3F-BBC1-2D43995D13AC@openfortress.nl> References: <1400589415.25828.21.camel@mine> <537B5338.6010205@nlnetlabs.nl> <1400591593.25828.24.camel@mine> <5F1A5C7B-9A69-4D3F-BBC1-2D43995D13AC@openfortress.nl> Message-ID: <65B643D8-DF2C-41A8-97E9-A68958493680@sinodun.com> On 20 May 2014, at 14:19, Rick van Rein wrote: > Hi, > >> The name hsm_key describes it perfectly, because its a database object >> with the HSM key content. It was called HSM key in protobuf also but it >> was C++ stil so it was HsmKey. > > So the protobuf-originated code is the new one. Changing that is less heavy on the project, esp. regarding porting of patches. FWIIW I agree with Rick here. Changing the name of the DB object is less work, less risk and has zero impact on our production releases. Also the object is not actually an hsm key, it is a representation of an hsm key in the enforcer db so I don?t think the naming should be so precious. Call it hsm_key_wrapper, hsm_key_descriptor, enforcer_hsm_key_ref,...? Surely you can be creative enough to solve this the simple way :-) Sara. From yuri at nlnetlabs.nl Tue May 20 18:45:55 2014 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Tue, 20 May 2014 20:45:55 +0200 Subject: [Opendnssec-develop] Team meeting - Tuesday 20 May @ 14:00 CEST In-Reply-To: References:

Message-ID: <537BA2E3.9080208@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Date: Friday 13 June 2014 Time: 14:00-15:00 CEST, > 13:00-14:00 BST, 20:00-21:00 CST, 12:00-13:00 UTC Works for me. Wednesday wasn't exactly optimal for me as well... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlN7ouIACgkQI3PTR4mhavjJWACfdrD56c73bNqwrKnNENWdF7K6 kTMAoKMufCcO1tirul3uGpWQ6A7OC0XE =4a2j -----END PGP SIGNATURE----- From jerry at opendnssec.org Tue May 20 19:12:04 2014 From: jerry at opendnssec.org (=?UTF-8?Q?Jerry_Lundstr=C3=B6m?=) Date: Tue, 20 May 2014 21:12:04 +0200 Subject: [Opendnssec-develop] Team meeting - Tuesday 20 May @ 14:00 CEST In-Reply-To: <537BA2E3.9080208@nlnetlabs.nl> References:

<537BA2E3.9080208@nlnetlabs.nl> Message-ID: <8500935996833907225@unknownmsgid> Same for me but... does it mean that the meeting is... DOOMED!!! :) -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ On 20 maj 2014, at 20:46, Yuri Schaeffer wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Date: Friday 13 June 2014 Time: 14:00-15:00 CEST, 13:00-14:00 BST, 20:00-21:00 CST, 12:00-13:00 UTC Works for me. Wednesday wasn't exactly optimal for me as well... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlN7ouIACgkQI3PTR4mhavjJWACfdrD56c73bNqwrKnNENWdF7K6 kTMAoKMufCcO1tirul3uGpWQ6A7OC0XE =4a2j -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Tue May 20 20:42:44 2014 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 20 May 2014 22:42:44 +0200 Subject: [Opendnssec-develop] HSMs use UTF-8 characters In-Reply-To: References: Message-ID: <8D30EC01-1126-447A-BB1C-EC29C5E05932@kirei.se> As an OpenDNSSEC installation and associated HSMs should be considered a trusted system, I'm a bit reluctant to change. There is very low risk and I cannot see any realistic attacks to the current implemention. The only component creating keys in the repositories are OpenDNSSEC itself and we control that code. The remaining attack vectors would be imported keys, token labels and PINs. Is fixing this worth the effort? If the fix is easy, go ahead. But change always introducing risk as well. jakob From yuri at nlnetlabs.nl Tue May 20 21:16:56 2014 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Tue, 20 May 2014 23:16:56 +0200 Subject: [Opendnssec-develop] Team meeting - Tuesday 20 May @ 14:00 CEST In-Reply-To: <8500935996833907225@unknownmsgid> References:

<537BA2E3.9080208@nlnetlabs.nl> <8500935996833907225@unknownmsgid> Message-ID: <537BC648.1090701@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Same for me but... does it mean that the meeting is... DOOMED!!! > :) Well, I think the Wednesday meeting was clearly doomed. Friday is at best only susceptible to doomnation. But go ahead and wrap your teamspeak server in tinfoil if that eases your mind. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlN7xkgACgkQI3PTR4mhavicYQCgumA8JYtmssuw/l8HeRLBA6Ao LlYAoMw+WA8N8vA+BVf4VGrmoeg97vP/ =JVO/ -----END PGP SIGNATURE----- From jerry at opendnssec.org Wed May 21 04:31:19 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Wed, 21 May 2014 06:31:19 +0200 Subject: [Opendnssec-develop] HSMs use UTF-8 characters In-Reply-To: <8D30EC01-1126-447A-BB1C-EC29C5E05932@kirei.se> References: <8D30EC01-1126-447A-BB1C-EC29C5E05932@kirei.se> Message-ID: <1400646679.13407.14.camel@what> On tis, 2014-05-20 at 22:42 +0200, Jakob Schlyter wrote: > Is fixing this worth the effort? If the fix is easy, go ahead. But change always introducing risk as well. If the usage of wide character are only the label and pin then it would only affect the reading and storing of the repositories from conf.xml, the pin daemon and of course the usage against libhsm/PKCS#11. I do not think we use this information for anything else or for display so the impact code wise might be small. For what version are we considering this for? I would think 2.x'ish. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 643 bytes Desc: This is a digitally signed message part URL: From jerry at opendnssec.org Wed May 21 04:41:59 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Wed, 21 May 2014 06:41:59 +0200 Subject: [Opendnssec-develop] libhsm: parts renamed during 2.0 work In-Reply-To: <65B643D8-DF2C-41A8-97E9-A68958493680@sinodun.com> References: <1400589415.25828.21.camel@mine> <537B5338.6010205@nlnetlabs.nl> <1400591593.25828.24.camel@mine> <5F1A5C7B-9A69-4D3F-BBC1-2D43995D13AC@openfortress.nl> <65B643D8-DF2C-41A8-97E9-A68958493680@sinodun.com> Message-ID: <1400647319.13407.22.camel@what> On tis, 2014-05-20 at 17:35 +0100, Sara Dickinson wrote: > Changing the name of the DB object is less work, less risk and has zero impact on our production releases. This change is only for 2.0 and forward, I never intended for this to go into our production releases! -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 643 bytes Desc: This is a digitally signed message part URL: From Roland.vanRijswijk at surfnet.nl Wed May 21 08:45:09 2014 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Wed, 21 May 2014 10:45:09 +0200 Subject: [Opendnssec-develop] JIRA, Confluence and Crowd migration starts at 11:00h CEST Message-ID: <537C6795.4000502@surfnet.nl> Hi guys & gals, We've finished setting up the new server and all seems well, which means we will be freezing the current instances of JIRA, Confluence and Crowd at 11:00h CEST. >From that point in time, access will be *read-only*, which means you can view stuff but can't change anything. We expect the migration to last for a couple of hours because we have to import all the data and then have to upgrade all the applications to the latest versions which takes some time. We currently expect that we will be ready to switch over to the new environment around 14:00h CEST, and will keep you posted. If all goes according to plan, we will have the new environment in production by the end of the afternoon. Cheers, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4412 bytes Desc: S/MIME Cryptographic Signature URL: From sion at nominet.org.uk Wed May 21 09:45:25 2014 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 21 May 2014 10:45:25 +0100 Subject: [Opendnssec-develop] HSMs use UTF-8 characters In-Reply-To: <1400646679.13407.14.camel@what> References: <8D30EC01-1126-447A-BB1C-EC29C5E05932@kirei.se> <1400646679.13407.14.camel@what> Message-ID: <537C75B5.4030403@nominet.org.uk> On 21/05/14 05:31, Jerry Lundstr?m wrote: > On tis, 2014-05-20 at 22:42 +0200, Jakob Schlyter wrote: >> Is fixing this worth the effort? If the fix is easy, go ahead. But change always introducing risk as well. > If the usage of wide character are only the label and pin then it would > only affect the reading and storing of the repositories from conf.xml, > the pin daemon and of course the usage against libhsm/PKCS#11. > > I do not think we use this information for anything else or for display > so the impact code wise might be small. > > For what version are we considering this for? I would think 2.x'ish. > Does this cover the CKA_ID also? So could someone, potentially, import a key that can then not be used (or worse)? From Roland.vanRijswijk at surfnet.nl Wed May 21 10:11:28 2014 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Wed, 21 May 2014 12:11:28 +0200 Subject: [Opendnssec-develop] Migration of JIRA, Confluence, Crowd is complete Message-ID: <537C7BD0.7030204@surfnet.nl> Hi all, Much earlier than expected: the migration of JIRA, Confluence and Crowd is complete. We are now running the latest and greatest versions on a new server. The DNS records have been changed thanks to Jakob, so you should now all see the new machine. Please contact me by mail if you experience any glitches with the new stuff; we've checked that everything works but you never know ;-) Cheers, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4412 bytes Desc: S/MIME Cryptographic Signature URL: From jerry at opendnssec.org Wed May 21 10:17:26 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Wed, 21 May 2014 12:17:26 +0200 Subject: [Opendnssec-develop] Before 1.4.6rc1, merge OpenBSD compatibilities fixes Message-ID: <1400667446.13407.31.camel@what> Hi, Before we do the 1.4.6rc1 I would really like to have the OpenBSD compatibilities merged in since this will make the work for the maintainer a lot easier and we will get an official OpenBSD package much faster. I believe we are about done with the work, so if someone could just review the PRs before we merge it would be great. https://github.com/opendnssec/opendnssec/pull/83 https://github.com/opendnssec/opendnssec/pull/86 -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 643 bytes Desc: This is a digitally signed message part URL: From rick at openfortress.nl Wed May 21 14:39:11 2014 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 21 May 2014 16:39:11 +0200 Subject: [Opendnssec-develop] HSMs use UTF-8 characters In-Reply-To: <1400646679.13407.14.camel@what> References: <8D30EC01-1126-447A-BB1C-EC29C5E05932@kirei.se> <1400646679.13407.14.camel@what> Message-ID: Hi Sion / Jakob / Jerry, > There is very low risk Indeed, there is a positive risk > and I cannot see any realistic attacks to the current implemention. The only component creating keys in the repositories are OpenDNSSEC itself The PKCS #11 interface is a shared resource, so OpenDNSSEC is the only component as long as attackers play by our rules. Also, programming errors such as unnoticed cut-offs of UTF-8 multiple-byte characters could cause the named issues. Just type a funny character in the right place and you?ve triggered it. > and we control that code. Hardly: I?m pretty sure nobody using libhsm has considered these potential problems, and that is precisely why I want to make it explicit. Both documentation and code are currently ignoring anything that is not ASCII. Also, when printing literal codes to an UTF-8 output, we may upset such code. You?d be trusting terminals, screen / tmux, and much more to behave properly when presented with downright wrong data. Let?s not take that risk. > The remaining attack vectors would be imported keys, token labels and PINs. Only textual fields, actually, and indeed also as part of imported keys. > Is fixing this worth the effort? If the fix is easy, go ahead. But change always introducing risk as well. The fix is easy, much easier than the systematic ignorance of checking for NULL return values and race condition problems ;-) For the libhsm-using application it is simply a matter of - renaming (char *) to (wchar_t *) - using special formats in printf/scanf - perhaps using wcslen() instead of strlen() and such, as driven by type errors Within libhsm, I would map with mbstowcs() to convert, and possibly perform an RFC2279 syntax check. > Does this cover the CKA_ID also? So could someone, potentially, import a > key that can then not be used (or worse)? CKA_ID is a binary code, so it should never interpreted as text in any representation; but CKA_LABEL is its hex representation; this is generated by the keygen but never sought for. > I do not think we use this information for anything else or for display > so the impact code wise might be small. Yes, probably. > For what version are we considering this for? I would think 2.x'ish. The audit I?m doing is against 1.4 and will be backported as well as possible to 1.3. -Rick From jerry at opendnssec.org Wed May 21 15:09:35 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Wed, 21 May 2014 17:09:35 +0200 Subject: [Opendnssec-develop] HSMs use UTF-8 characters In-Reply-To: References: <8D30EC01-1126-447A-BB1C-EC29C5E05932@kirei.se> <1400646679.13407.14.camel@what> Message-ID: <1400684975.13407.33.camel@what> On ons, 2014-05-21 at 16:39 +0200, Rick van Rein wrote: > The fix is easy Then we will wait for the pull request with the fix :) -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 643 bytes Desc: This is a digitally signed message part URL: From jerry at opendnssec.org Thu May 22 05:03:43 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Thu, 22 May 2014 07:03:43 +0200 Subject: [Opendnssec-develop] Re: Before 1.4.6rc1, merge OpenBSD compatibilities fixes In-Reply-To: <1400667446.13407.31.camel@what> References: <1400667446.13407.31.camel@what> Message-ID: <1400735023.30643.20.camel@what> Hi all, On ons, 2014-05-21 at 12:17 +0200, Jerry Lundstr?m wrote: > Before we do the 1.4.6rc1 I would really like to have the OpenBSD > compatibilities merged in since this will make the work for the > maintainer a lot easier and we will get an official OpenBSD package much > faster. > > I believe we are about done with the work, so if someone could just > review the PRs before we merge it would be great. > > https://github.com/opendnssec/opendnssec/pull/83 > https://github.com/opendnssec/opendnssec/pull/86 So with regards to compatibilities with OpenBSD the port maintainer is satisfied with the changes in the PR. Can someone please review the changes today or tomorrow? Please let me know. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 643 bytes Desc: This is a digitally signed message part URL: From jerry at opendnssec.org Thu May 22 06:39:31 2014 From: jerry at opendnssec.org (=?UTF-8?Q?Jerry_Lundstr=C3=B6m?=) Date: Thu, 22 May 2014 08:39:31 +0200 Subject: [Opendnssec-develop] Re: Before 1.4.6rc1, merge OpenBSD compatibilities fixes In-Reply-To: <1400735023.30643.20.camel@what> References: <1400667446.13407.31.camel@what> <1400735023.30643.20.camel@what> Message-ID: <3662747364219047724@unknownmsgid> Thanks Matthijs! -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ On 22 maj 2014, at 07:03, "Jerry Lundstr?m" wrote: Hi all, On ons, 2014-05-21 at 12:17 +0200, Jerry Lundstr?m wrote: Before we do the 1.4.6rc1 I would really like to have the OpenBSD compatibilities merged in since this will make the work for the maintainer a lot easier and we will get an official OpenBSD package much faster. I believe we are about done with the work, so if someone could just review the PRs before we merge it would be great. https://github.com/opendnssec/opendnssec/pull/83 https://github.com/opendnssec/opendnssec/pull/86 So with regards to compatibilities with OpenBSD the port maintainer is satisfied with the changes in the PR. Can someone please review the changes today or tomorrow? Please let me know. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Thu May 22 08:38:22 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Thu, 22 May 2014 10:38:22 +0200 Subject: [Opendnssec-develop] Migration of JIRA, Confluence, Crowd is complete In-Reply-To: <537C7BD0.7030204@surfnet.nl> References: <537C7BD0.7030204@surfnet.nl> Message-ID: <1400747902.6499.2.camel@mine> On ons, 2014-05-21 at 12:11 +0200, Roland van Rijswijk - Deij wrote: > Please contact me by mail if you experience any glitches with the new > stuff; we've checked that everything works but you never know ;-) Just a small note (not really important), the tab icon for Jira is gone. Was the OpenDNSSEC button before. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From Roland.vanRijswijk at surfnet.nl Thu May 22 08:41:51 2014 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Thu, 22 May 2014 10:41:51 +0200 Subject: [Opendnssec-develop] Migration of JIRA, Confluence, Crowd is complete In-Reply-To: <1400747902.6499.2.camel@mine> References: <537C7BD0.7030204@surfnet.nl> <1400747902.6499.2.camel@mine> Message-ID: <537DB84F.3040504@surfnet.nl> Hi Jerry, Jerry Lundstr?m wrote: > On ons, 2014-05-21 at 12:11 +0200, Roland van Rijswijk - Deij wrote: >> Please contact me by mail if you experience any glitches with the new >> stuff; we've checked that everything works but you never know ;-) > > Just a small note (not really important), the tab icon for Jira is gone. > Was the OpenDNSSEC button before. That's odd, I do see the OpenDNSSEC button there (see screenshot). Or are we talking about different things? Cheers, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2014-05-22 at 10.41.39.png Type: image/png Size: 22205 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4412 bytes Desc: S/MIME Cryptographic Signature URL: From jerry at opendnssec.org Thu May 22 08:48:18 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Thu, 22 May 2014 10:48:18 +0200 Subject: [Opendnssec-develop] Migration of JIRA, Confluence, Crowd is complete In-Reply-To: <537DB84F.3040504@surfnet.nl> References: <537C7BD0.7030204@surfnet.nl> <1400747902.6499.2.camel@mine> <537DB84F.3040504@surfnet.nl> Message-ID: <1400748498.6499.5.camel@mine> On tor, 2014-05-22 at 10:41 +0200, Roland van Rijswijk - Deij wrote: > That's odd, I do see the OpenDNSSEC button there (see screenshot). Or > are we talking about different things? Yes, I mean the icon in the browser tabs not on the page itself. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From Roland.vanRijswijk at surfnet.nl Thu May 22 08:47:55 2014 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Thu, 22 May 2014 10:47:55 +0200 Subject: [Opendnssec-develop] Migration of JIRA, Confluence, Crowd is complete In-Reply-To: <1400748498.6499.5.camel@mine> References: <537C7BD0.7030204@surfnet.nl> <1400747902.6499.2.camel@mine> <537DB84F.3040504@surfnet.nl> <1400748498.6499.5.camel@mine> Message-ID: <537DB9BB.6040807@surfnet.nl> Jerry Lundstr?m wrote: > On tor, 2014-05-22 at 10:41 +0200, Roland van Rijswijk - Deij wrote: >> That's odd, I do see the OpenDNSSEC button there (see screenshot). Or >> are we talking about different things? > > Yes, I mean the icon in the browser tabs not on the page itself. Ah, you mean the "favicon". Lemme see if I can fix that ;-) Cheers, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4412 bytes Desc: S/MIME Cryptographic Signature URL: From Roland.vanRijswijk at surfnet.nl Thu May 22 09:01:32 2014 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Thu, 22 May 2014 11:01:32 +0200 Subject: [Opendnssec-develop] Migration of JIRA, Confluence, Crowd is complete In-Reply-To: <1400748498.6499.5.camel@mine> References: <537C7BD0.7030204@surfnet.nl> <1400747902.6499.2.camel@mine> <537DB84F.3040504@surfnet.nl> <1400748498.6499.5.camel@mine> Message-ID: <537DBCEC.1030607@surfnet.nl> Hi Jerry, Jerry Lundstr?m wrote: > On tor, 2014-05-22 at 10:41 +0200, Roland van Rijswijk - Deij wrote: >> That's odd, I do see the OpenDNSSEC button there (see screenshot). Or >> are we talking about different things? > > Yes, I mean the icon in the browser tabs not on the page itself. Should be fixed! Cheers, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4412 bytes Desc: S/MIME Cryptographic Signature URL: From Roland.vanRijswijk at surfnet.nl Thu May 22 09:08:16 2014 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Thu, 22 May 2014 11:08:16 +0200 Subject: [Opendnssec-develop] Maintenance on wiki.opendnssec.org and crowd.opendnssec.org (security patch) Message-ID: <537DBE80.1000803@surfnet.nl> Dear all, There will be short maintenance window on wiki.opendnssec.org and crowd.opendnssec.org between 7:30AM CEST and 8:30AM CEST to patch and upgrade the software to deal with a security vulnerability reported by Atlassian. During the maintenance window wiki.opendnssec.org may be unavailable and logging in to issues.opendnssec.org may be disabled due to maintenance on Crowd. Best regards, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4412 bytes Desc: S/MIME Cryptographic Signature URL: From sara at sinodun.com Thu May 22 09:59:14 2014 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 22 May 2014 10:59:14 +0100 Subject: [Opendnssec-develop] Maintenance on wiki.opendnssec.org and crowd.opendnssec.org (security patch) In-Reply-To: <537DBE80.1000803@surfnet.nl> References: <537DBE80.1000803@surfnet.nl> Message-ID: <5C38F832-35A6-4FAA-8792-E234DF5AD470@sinodun.com> On 22 May 2014, at 10:08, Roland van Rijswijk - Deij wrote: > Dear all, > > There will be short maintenance window on wiki.opendnssec.org and > crowd.opendnssec.org between 7:30AM CEST and 8:30AM CEST to patch and > upgrade the software to deal with a security vulnerability reported by > Atlassian. Just when you thought you had everything on the latest and greatest ;-) Congrats on the really smooth upgrade - looks great! Sara. From Roland.vanRijswijk at surfnet.nl Thu May 22 11:20:22 2014 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Thu, 22 May 2014 13:20:22 +0200 Subject: [Opendnssec-develop] Maintenance on wiki.opendnssec.org and crowd.opendnssec.org (security patch) In-Reply-To: <5C38F832-35A6-4FAA-8792-E234DF5AD470@sinodun.com> References: <537DBE80.1000803@surfnet.nl> <5C38F832-35A6-4FAA-8792-E234DF5AD470@sinodun.com> Message-ID: <537DDD76.70906@surfnet.nl> Hi Sara, Sara Dickinson wrote: > On 22 May 2014, at 10:08, Roland van Rijswijk - Deij wrote: >> There will be short maintenance window on wiki.opendnssec.org and >> crowd.opendnssec.org between 7:30AM CEST and 8:30AM CEST to patch and >> upgrade the software to deal with a security vulnerability reported by >> Atlassian. > > Just when you thought you had everything on the latest and greatest ;-) Bloody typical ;-) > Congrats on the really smooth upgrade - looks great! Thanks! Cheers, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4412 bytes Desc: S/MIME Cryptographic Signature URL: From matthijs at nlnetlabs.nl Thu May 22 11:38:44 2014 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Thu, 22 May 2014 13:38:44 +0200 Subject: [Opendnssec-develop] New conf.xml options in 1.3.18 and 1.4.6 Message-ID: <537DE1C4.5030700@nlnetlabs.nl> Hi, FYI: This pull request for 1.3.18: https://github.com/opendnssec/opendnssec/pull/89 introduces three new optional elements for conf.xml: //Configuration/Enforcer/PidFile //Configuration/Signer/PidFile //Configuration/Signer/SocketFile This required changes in ods-control, namely a way to read out the value out of the conf.xml instead of using the default. It seems the most simple to create a new tool: ods-getconf, that can read out the value, given an expression. I would also like to apply this to 1.4.6. Best regards, Matthijs From jerry at opendnssec.org Thu May 22 11:47:54 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Thu, 22 May 2014 13:47:54 +0200 Subject: [Opendnssec-develop] New conf.xml options in 1.3.18 and 1.4.6 In-Reply-To: <537DE1C4.5030700@nlnetlabs.nl> References: <537DE1C4.5030700@nlnetlabs.nl> Message-ID: <1400759274.15048.0.camel@mine> On tor, 2014-05-22 at 13:38 +0200, Matthijs Mekking wrote: > introduces three new optional elements for conf.xml: > > //Configuration/Enforcer/PidFile > //Configuration/Signer/PidFile > //Configuration/Signer/SocketFile +1 > This required changes in ods-control, namely a way to read out the value > out of the conf.xml instead of using the default. It seems the most > simple to create a new tool: ods-getconf, that can read out > the value, given an expression. +1 > I would also like to apply this to 1.4.6. +1 -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From jerry at opendnssec.org Fri May 23 05:03:30 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Fri, 23 May 2014 07:03:30 +0200 Subject: [Opendnssec-develop] New conf.xml options in 1.3.18 and 1.4.6 In-Reply-To: <537DE1C4.5030700@nlnetlabs.nl> References: <537DE1C4.5030700@nlnetlabs.nl> Message-ID: <1400821410.8323.1.camel@what> On tor, 2014-05-22 at 13:38 +0200, Matthijs Mekking wrote: > FYI: This pull request for 1.3.18: > > https://github.com/opendnssec/opendnssec/pull/89 The changes has made the daily test signer.ods_signer.serial fail on all platforms, can you look at it? -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 643 bytes Desc: This is a digitally signed message part URL: From matthijs at nlnetlabs.nl Fri May 23 06:58:08 2014 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Fri, 23 May 2014 08:58:08 +0200 Subject: [Opendnssec-develop] New conf.xml options in 1.3.18 and 1.4.6 In-Reply-To: <1400821410.8323.1.camel@what> References: <537DE1C4.5030700@nlnetlabs.nl> <1400821410.8323.1.camel@what> Message-ID: <537EF180.80609@nlnetlabs.nl> On 05/23/2014 07:03 AM, Jerry Lundstr?m wrote: > On tor, 2014-05-22 at 13:38 +0200, Matthijs Mekking wrote: >> FYI: This pull request for 1.3.18: >> >> https://github.com/opendnssec/opendnssec/pull/89 > > The changes has made the daily test signer.ods_signer.serial fail on all > platforms, can you look at it? Ah, I introduced long options in the signer client, now --serial is an unrecognized option. Will remove long options from the signer client again. Matthijs From Roland.vanRijswijk at surfnet.nl Fri May 23 09:19:24 2014 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Fri, 23 May 2014 11:19:24 +0200 Subject: [Opendnssec-develop] Maintenance on wiki.opendnssec.org and crowd.opendnssec.org [completed] Message-ID: <537F129C.2020203@surfnet.nl> Dear all, This is just to let you know that Confluence has been patched successfully and Crowd has been upgraded to the latest release. Have a nice weekend! Cheers, Roland -- -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4412 bytes Desc: S/MIME Cryptographic Signature URL: From jerry at opendnssec.org Mon May 26 11:19:45 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Mon, 26 May 2014 13:19:45 +0200 Subject: [Opendnssec-develop] Test platforms update Message-ID: <1401103185.19988.13.camel@mine> Hi, I have added Ubuntu 14.04 to the test platforms and all Jenkins jobs now, including PR. I also added Solaris 11 x86 to all build jobs on Jenkins but not for the PR. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From jerry at opendnssec.org Mon May 26 13:25:03 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Mon, 26 May 2014 15:25:03 +0200 Subject: [Opendnssec-develop] Re: Test platforms update In-Reply-To: <1401103185.19988.13.camel@mine> References: <1401103185.19988.13.camel@mine> Message-ID: <1401110703.19988.27.camel@mine> On m?n, 2014-05-26 at 13:19 +0200, Jerry Lundstr?m wrote: > I also added Solaris 11 x86 to all build jobs on Jenkins but not for the > PR. The Solaris VM has been turned off, hopefully getting more CPU and memory for it to see if its a bit faster, currently takes almost double the time to run anything compared to the other VMs. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part URL: From sara at sinodun.com Tue May 27 12:58:10 2014 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 27 May 2014 13:58:10 +0100 Subject: [Opendnssec-develop] Fwd: [Opendnssec-maintainers] SoftHSM 1.3.7rc1 release candidate References: Message-ID: <19D8869C-621F-4DFC-BFBD-4A5C3F5EB1E8@sinodun.com> Hi All, I?m not aware of any problems with the SoftHSM 1.3.7rc1 so I would like to go ahead with the full release. Jerry - could you please create a tarball for this? Sara. Begin forwarded message: > From: Sara Dickinson > Subject: [Opendnssec-maintainers] SoftHSM 1.3.7rc1 release candidate > Date: 20 May 2014 17:17:14 BST > To: opendnssec-maintainers at lists.opendnssec.org > Cc: Opd Dev > > All, > > Version 1.3.7rc1 of SoftHSM is now available. This is a release candidate for testing purposes: > > > SoftHSM 1.3.7rc1 > ------------------------ > > Bugfixes: > * SOFTHSM-94: umask affecting the calling application. > * SOFTHSM-96: Check if Botan has already been initialised. > > Download: > * https://dist.opendnssec.org/source/testing/softhsm-1.3.7rc1.tar.gz > * https://dist.opendnssec.org/source/testing/softhsm-1.3.7rc1.tar.gz.sig > * Checksum SHA1: 61ea9cb52d2abad84053e77efbebd853963b1c89 > * Checksum SHA256: c28049f483a211294721bae27a2efa7f17a7495d6f2f8a6a3fe54a4c72f1c5e6 > > > A full SoftHSM 1.3.7 release is planned for Tuesday 27th May. > > > //OpenDNSSEC team > > > _______________________________________________ > Opendnssec-maintainers mailing list > Opendnssec-maintainers at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-maintainers From sara at sinodun.com Tue May 27 13:02:20 2014 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 27 May 2014 14:02:20 +0100 Subject: [Opendnssec-develop] RE: 1.4.6 release candidate Message-ID: <36C341ED-39BA-4DE9-9B22-FDDBEBE57499@sinodun.com> Hi All, Matthijs is keen to add the functionality for OPENDNSSEC-620 (conf.xml PidFile and SocketFile) to the 1.4.6 release and I agree this is a good idea. This will mean that the release won?t be ready until next week probably, but I think this is the right thing to do. So the updated plan is to now do a 1.4.6rc1 release next week. Any comments or concerns, please let me know. Regards Sara. From jerry at opendnssec.org Wed May 28 06:12:43 2014 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?Q?Lundstr=F6m?=) Date: Wed, 28 May 2014 08:12:43 +0200 Subject: [Opendnssec-develop] Fwd: [Opendnssec-maintainers] SoftHSM 1.3.7rc1 release candidate In-Reply-To: <19D8869C-621F-4DFC-BFBD-4A5C3F5EB1E8@sinodun.com> References: <19D8869C-621F-4DFC-BFBD-4A5C3F5EB1E8@sinodun.com> Message-ID: <1401257563.9259.1.camel@what> On tis, 2014-05-27 at 13:58 +0100, Sara Dickinson wrote: > Jerry - could you please create a tarball for this? https://dist.opendnssec.org/source/softhsm-1.3.7.tar.gz https://dist.opendnssec.org/source/softhsm-1.3.7.tar.gz.sig SHA1 e8bf4269472f9e63d1dfeda238b1d542d6c036f2 SHA256 d12d6456a85561266d9da427565f3ee3746a35df6670d5e6be75de253c2810a4 -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 643 bytes Desc: This is a digitally signed message part URL: From sara at sinodun.com Wed May 28 13:18:21 2014 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 28 May 2014 14:18:21 +0100 Subject: [Opendnssec-develop] SoftHSM 1.3.7 Message-ID: All, Version 1.3.7 of SoftHSM has now been released. This is the latest stable release. Bugfixes: * SOFTHSM-94: umask affecting the calling application. * SOFTHSM-96: Check if Botan has already been initialised. Documentation: * https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v1.3 Download: * https://dist.opendnssec.org/source/softhsm-1.3.7.tar.gz * https://dist.opendnssec.org/source/softhsm-1.3.7.tar.gz.sig * Checksum SHA1: e8bf4269472f9e63d1dfeda238b1d542d6c036f2 * Checksum SHA256: d12d6456a85561266d9da427565f3ee3746a35df6670d5e6be75de253c2810a4 //OpenDNSSEC team